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Preface 



This volume contains the proceedings of the 10th International Conference on 
Concurrency Theory (CONCUR’99) held in Eindhoven, The Netherlands, 24-27 
August 1999. 

The purpose of the CONCUR conferences is to bring together researchers, de- 
velopers and students in order to advance the theory of concurrency and promote 
its applications. Interest in this topic is continuously growing, as a consequence 
of the importance and ubiquity of concurrent systems and their applications, and 
of the scientific relevance of their foundations. The scope of CONCUR’99 covers 
all areas of semantics, logics and verification techniques for concurrent systems. 
A list of specific topics includes (but is not limited to) concurrency-related as- 
pects of: models of computation and semantic domains, process algebras, Petri 
nets, event structures, real-time systems, hybrid systems, stochastic systems, de- 
cidability, model-checking, verification techniques, refinement techniques, term 
and graph rewriting, distributed programming, logic constraint programming, 
object-oriented programming, typing systems and algorithms, case studies, and 
tools and environments for programming and verification. 

The first two CONCUR conferences were held in Amsterdam (NL) in 1990 
and 1991, the following ones in Stony Brook (USA), Hildesheim (D), Uppsala 
(S), Philadelphia (USA), Pisa (I), Warsaw (PL) and Nice (F). The proceedings 
have appeared in Springer LNCS, as Volumes 458, 527, 630, 715, 836, 962, 1119, 
1243, and 1466. 

Of the 91 regular papers submitted this year, 32 were accepted for presen- 
tation at the conference and are included in the present volume. Apart from 
these, the conference included four invited presentations, by Ranee Cleaveland 
(State University of New York at Stony Brook, USA), Javier Esparza (Technis- 
che Universitat Miinchen, D), Rob van Glabbeek (Stanford University, USA) and 
Catuscia Palamidessi (Pennsylvania State University, USA), and three invited 
tutorials, by Petr Jancar (Technical University of Ostrava, CZ), Nils Klarlund 
(AT&T Labs Research, USA) and Jan Tretmans (Universiteit Twente, NL). 

We want to thank all members of the program committee, and their subref- 
erees, for selecting the papers to be presented. 

Special thanks are due to the local organization committee, chaired by Jan 
Friso Groote. Dragan Bosnacki arranged the tool demonstrations, Andre Engels 
was webmaster, Kees Middelburg was in charge of the tutorials, and Martijn 
Oostdijk took care of the submission software (written by Vladimiro Sassone). 
Local arrangements, and help with registration, were provided by Marcella de 
Rooij, Desiree Meijers, and Anne-Meta Oversteegen. 

The conference had three satellite events, all held on 23 August 1999. These 
were PROBMIV’99 (Workshop on Probabilistic Methods in Verification), EX- 
PRESS’99 (6th International Workshop on Expressiveness in Concurrency), and 
VFM (Symposium on Visual Formal Methods). We thank Eindhoven University 
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of Technology for hosting the event and providing many facilities. We thank 
our sponsors IPA (Institute of Programming Research and Algorithmics, NL), 
Philips Research Eindhoven, and EESI (Eindhoven Embedded Systems Insti- 
tute) . 
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Temporal Process Logic* 



Ranee Cleaveland 

Dept, of Comp. Sci., SUNY at Stony Brook, Stony Brook, NY 11794-4400, USA 

ranceOcs . sunysb . edu 



Abstract of Invited Talk 

Research in the specification and verification of concurrent systems falls into 
two general categories. The temporal logic school advocates temporal logic as a 
language for formulating system requirements, with the semantics of the logic 
being used as a basis for determining whether or not a system is correct. The 
process-algebraic cornmmnty focuses on the use of “higher-level” system descrip- 
tions as specifications of “lower-level” ones, with a refinement relation being 
used to determine whether an implementation conforms to a specification. From 
a user’s perspective, the approaches offer different benefits and drawbacks. Tem- 
poral logic supports “scenario-based” specifications, since formulas may be given 
that focus on single aspects of system behavior. On the other hand, temporal 
logic specifications suffer from a lack of compositionality, since the language of 
specifications differs from the system description language. In contrast, compo- 
sitional specification is the hallmark of process algebraic reasoning, but at the 
expense of requiring what some view as overly detailed specifications. Although 
much research has studied the connections between the temporal logic and pro- 
cess algebra, a truly uniform formalism that combines the advantages of the two 
approaches has yet to emerge. 

In my talk I present preliminary results obtained by Gerald Liittgen, of 
ICASE, and me on the development of such a formalism. Our approach features 
a process-algebra-inspired notation that enriches traditional process algebras by 
allowing linear-time temporal formulas to be embedded in system descriptions. 
We show how the combined formalism may be given a uniform operational se- 
mantics in Plotkin’s Structural Operational Semantics (SOS) style, and we define 
a refinement relation based on Denicola/Hennessy testing and discuss its con- 
gruence properties. We then demonstrate that traditional temporal-logic-style 
arguments about system correctness can be naturally captured via refinement; 
we also illustrate how the combination of logical and system operators allows 
users to define systems in which some “components” remain specified only as 
formulas. 



* Research supported by NSF grants CCR-9257963, CCR-9505562 and CCR-9804091, 
AFOSR grant F49620-95- 1-0508, and ARO grant P-38682-MA. 
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An Unfolding Algorithm for Synchronous 
Products of Transition Systems* 



Javier Esparza and Stefan Romer 

Institut fiir Informatik, Technische Universitat Munchen 
{esparza , roemer}@in . turn . de 



Abstract. The unfolding method, initially introduced for systems mod- 
elled by Petri nets, is applied to synchronous products of transition sys- 
tems, a model introduced by Arnold An unfolding procedure is pro- 
vided which exploits the product structure of the model. Its performance 
is evaluated on a set of benchmarks. 



1 Introduction 

The unfolding method is a partial order approach to the verification of concurrent 
systems introduced by McMillan in his Ph. D. Thesis |. A finite state system, 
modelled as a Petri net, is unfolded to yield an equivalent acyclic net with a 
simpler structure. This net is usually infinite, and so in general it cannot be 
used for automatic verification. However, it is possible to construct a complete 
finite prefix of it containing as much information as the infinite net itself: Loosely 
speaking, this prefix already contains all the reachable states of the system. 
The prefix is usually far smaller than the state space, and often smaller than a 
HDD representation of it, and it can be used as input for efficient verification 
algorithms. A rather complete bibliography on the unfolding method, containing 
over 60 papers on semantics, algorithms, and applications is accessible online Q. 

The thesis of this paper is that the unfolding method is applicable to any 
model of concurrency for which a notion of ‘events occurring independently from 
each other’ can be defined, and not only to Petri nets — as is often assumed. We 
provide evidence in favour of this thesis by applying the method to synchronous 
products of labelled transition systems. In this model, introduced by Arnold in Q, 
a system consists of a tuple of communicating sequential components. The com- 
munication discipline, formalised by means of so-called synchronisation vectors, 
is very general, and contains as special cases the communication mechanisms of 
process algebras like CCS and CSP. 

Readers acquainted with both Arnold’s and the Petri net model will probably 
think that our task is not very difficult, and they are right. It is indeed straight- 
forward to give synchronous products of transition systems a Petri net semantics, 
and then apply the usual machinery. But we go a bit further: We show that the 

* Work partially supported by the Teilprojekt A3 SAM of the Sonderforschungsbereich 
342 “Werkzeuge und Methoden fiir die Nutzung paralleler Rechnerarchitekturen” . 

Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 1999. 

© Springer-Verlag Berlin Heidelberg 1999 
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additional structure of Arnold’s model with respect to Petri nets — the fact that 
we are given a decomposition of the system into sequential components — can 
be used to simplify the unfolding method. More precisely, in a former paper by 
Vogler and the authors we showed that the key to an efficient algorithm 
for the construction of a complete finite prefix is to find a mathematical object 
called a total adequate order, and provided such an order for systems modelled 
by Petri netij In this paper we present a new total adequate order for syn- 
chronous products of labelled transition systems. The proof of adequacy for this 
new order is simpler than the proof of Q. 

In a second part of the paper we describe an efficient implementation of the 
algorithm , and compare it with the algorithm of ^ on a set of benchmarks. 

Very recently, further evidence for the wide applicability of unfoldings has 
been provided by Langerak and Brinksma in Independently from us, they 
have applied the unfolding technique to a CSP-like process algebra, a model even 
further away from Petri nets than ours. A brief discussion of the relation to our 
work can be found in the conclusions. 

The paper is organised as follows. Section 2 introduces synchronous products 
of transition systems following Q, and Section 3 gives them a partial order 
semantics based on unfoldings. Section 4 describes an algorithm to construct a 
complete finite prefix. Section 5 discusses how to efficiently implement it. Section 
6 discusses the performance of the new algorithm. 



2 Synchronous Products of Transition Systems 

In this section we introduce Arnold’s model and its standard interleaving seman- 
tics. Notations follow Q with very few minor changes. 



2.1 Labelled Transition Systems 

A labelled transition system is a tuple A = {S,T, a, P, X), where S' is a set of 
states, r is a set of transitions, a, /3 : T — > S are the source and target mappings, 
and A: r — *■ A is a labelling mapping assigning to each transition a letter from 
an alphabet A. We assume that A contains a special label e, and that for each 
state s G S there is a transition Cg such that a(es) = s = P{cs), and A(es) = e. 
Moreover, no other transitions are labelled by e. Transitions labelled by e are 
called idle transitions in the sequel. 

We use a graphical representation for labelled transition systems. States are 
represented by circles, and a transition t with a(t) = s, P(t) = s', and X{t) = a 
is represented by an arrow leading from s to s' labelled by t : a. Idle transitions 
are not represented. Figure^ shows two labelled transition systems. 

^ More exactly, systems modelled by 1-safe Petri nets, i.e., Petri nets whose places can 
hold at most one token. 
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Fig. 1. Two labelled transition systems 



2.2 Synchronous Products 

Let Ai, ■ . ■ , An be labelled transition systems, where Ai = {Si, Ti, ai, j3i, Xi), and 
Xi labels each transition of Ti with an element of an alphabet Ai. We assume 
for convenience that the sets Si and Ti are pairwise disjoint. A subset / of 
(Ai X ... X A„) \ (e, . . . , e) is called a synchronisation constraint, and the elements 
of I are called synchronisation vectors. Loosely speaking, these vectors indicate 
which transitions of Ai , . . . , An must synchronise. The tuple A = {A\ , ■ ■ An, I) 
is called the synchronous product of the Ai under I. 

As running example we use A = {A\, A 2 , 1) , where A\,A 2 are the two la- 
belled transition systems of Figure J and I contains the following synchronisa- 
tion vectors. ^ ^ e) , (e, a) , (e, c) , (c, b) 

I.e., c-labelled transitions of Ai must synchronise with 5-labelled transitions of 
A 2 . The other transitions do not synchronise. 



The interleaving 


semantics of A 


is the labelled transition system Aint 


{S, T, a, (3, A), where 


A:T- 


I, and 






S 


= SiX ... 


X Sn 




T 


= {{h,... 


5 in) 1 (Al(tl), . . . , Xn{in)) ^ 


a{{ti, . . . 


,tn)) 


= {ai{ti). 




/3((ti, . . . 


,tn)) 


= iPiiti), 


■ ..,Pn{tn)) 


A((ti, . . . 


,tn)) 




• ■ • : Xn{tri}) 



The elements of S and T are called global states and global transitions, respec- 
tively. 

If each of the Ai has a distinguished initial state iSi, then the initial state of 
A is the tuple is = {isi, . . ., isn), and A with is as initial state is denoted by 
(A, is) . The set of reachable global states is then the set of global states reachable 
from is. For our running example we take is = (si, ri). 

We introduce a notation that will help us to later define the unfolding of A. 
Given a global transition t = {t\,. . .,tn) of A, we define 

*t = {ai{ti) \ l<i<n and Xi{ti) ^ e} 
t* = {!3i{ti) I 1 < j < n and Xi{ti) ^ e} 

Loosely speaking, *t contains the sources of the non-idle transitions of t, and t* 
their targets. 
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3 Unfolding of a Synchronous Product 

In synchronous products are only given an interleaving semantics. In this 
section we give them a partial order semantics based on the notion of unfold- 
ing of a synchronous product, and show its compatibility with the interleaving 
semantics. We introduce a number of standard notions about Petri nets, but 
sometimes our definitions are not completely formalised. The reader interested 
in rigorous definitions is referred to 



3.1 Petri Nets 

As usual, a net consists of a set of places, graphically represented by circles, a 
set of transitions, graphically represented as boxes, and a flow relation assigning 
to each place (transition) a set of input and a set of output transitions (places). 
The flow relation is graphically represented by arrows leading from places to 
transitions and from transitions to places. In order to avoid confusions between 
the transitions of a transition system and the transitions of a Petri net, we call 
the latter events in the sequel. Places and events are called nodes] given a node 
X, the set of input and output nodes of x is denoted by *x and x*, respectively. A 
place of a net can hold tokens, and a mapping assigning to each place a number 
of tokens is called a marking. If, at a given marking, all the input places of an 
event hold at least one token, then the event can occur, which leads to a new 
marking obtained by removing one token from each input place and adding one 
token to each output place. An occurrence sequence is a sequence of events that 
can occur in the order specified by the sequence. 

A synchronous product can be associated a Petri net as follows: Take a place 
for each state of each component, and an event for each global transition; add an 
arc from s to t if s S *t, and from t to s if s € t*; put a token in the initial state 
of each component, and no tokens elsewhere. The unfolding of a synchronous 
product can be defined as the unfolding of its associated Petri net, but in the 
rest of the section we give a direct definition. 



3.2 Ocurrence Nets 

Given two nodes x and y of a net, we say that x is causally related to y, denoted 
by X < y, if there is a (possibly empty) path of arrows from x to y. We say that 
X and y are in conflict, denoted by xf=y, if there is a place z, different from x 
and y, from which one can reach x and y, exiting x by different arrows. Finally, 
we say that x and y are concurrent, denoted by x co y, if neither x < y nor y < x 
nor xf^y hold. Occurrence nets are those satisfying the following three properties: 

— the net, seen as a graph, has no cycles; 

— every place has at most one input event; 

— no node is in self-conflict, i.e., xf=x holds for no x. 

The nets of Figure Hand Figure Hare occurrence nets. 



6 



Javier Esparza and Stefan Romer 



Occurrence nets can be infinite. We restrict ourselves to those in which every 
event has at least one input place, and in which the arrows cannot be followed 
backward infinitely from any point (this is called well-foundedness). It follows 
that by following the arrows backward we eventually reach a place without pre- 
decessors. These are the minimal places of the net. 

We associate to an occurrence net a default initial marking, in which the 
minimal places carry exactly one token, and the other places no tokens. It is 
easy to see that all the markings reachable from the initial marking also put at 
most one token on a place. Therefore, we represent reachable markings as sets 
of places. 



3.3 Branching Processes 

Given a synchronous product of transition systems, we associate to it a set of 
labelled occurrence nets, called the branching processes of A. The place^of these 
nets are labelled with states of the components of A, and their events are la- 
belled with global transitions. The places and events of the branching processes 
are all taken from two sets V and £, inductively defined as follows: 

— T e £, where T is a special symbol; 

— if e e f , then (s, e) GV for every s G S'! U . . . U Sn, 

— if A C P, then (t, A) G £ for every t G T. 

In our definition of branching process (see below) we make consistent use of 
these names: The label of a place (s, e) is s, and its unique input event is e. 
Places (s, T) are those having no input event, i.e., the special symbol T is used 
for the minimal places of the occurrence net. Similarly, the label of an event 
(t, A) is t, and its set of input places is A. The advantage of this scheme is that 
a branching process is completely determined by its sets of places and events. 
In the sequel, we make use of this and represent a branching process as a pair 
(P,E). 



Definition 1. The set o/ finite branching processes of (A, is), where 
is = {isi , . . . , isn), is inductively defined as follows: 

— ({(isi , T), . . . , (is„, T)}, 0) is a branching process o/(A,is). 

— If (P, E) is a branching process, t is a global transition, and X <G P is a 
co-set labelled by *t, then 

(PU {(s,e)|s G f } , PU {e}) 

is also a branching process of (A, is), where e = (t, A). If e ^ E, then e is 
called a possible extension of (P, E). 

We denote the set of possible extensions of a branching process BP by PE{BP). 



^ In some papers (including |), the name conditions is used instead of places. 
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Fig. 2. A branching process of (A, is) 



A place of the form (s, _L) or (s, e) such that s G Si is called an i-place. 
An event of the form (t, X) such that t(i) is not an idle transition is called an 
i- event. Observe that an event can be both an i-event and a j-event for i ^ j 
(in this case we say that Ai and Aj synchronize in e), but a place cannot, since 
the states of the different components are disjoint by assumption. 

Figure^shows a finite branching process of our running example (above the 
dashed line), together with its two possible extensions (below that line). 1-nodes 
are white, 2-nodes are dark grey, and events that are both 1- and 2 events are 
light grey. The labels of events have been simplified for clarity: We write t instead 
of (t, e), and u instead of (e, u). 

The set of branching processes of (A, is) is obtained by declaring that the 
union of any finite or infinite set of branching processes is also a branching 
process, where union of branching processes is defined componentwise on places 
and events. Since branching processes are closed under union, there is a unique 
maximal branching process. We call it the unfolding of (A, is). The unfolding 
of our running example is an infinite occurrence net. FigureHshows an initial 
part. Events and places have been assigned identificators that will be used in 
the examples. 

The following Proposition is easy to prove by structural induction on branch- 
ing processes: 

Proposition 1. Two i-nodes of a branching process are either causally related 
or in conflict. 

For instance, in FigureHall white and light grey nodes are causally related 
or in conflict. 

3.4 Configurations and Cuts 

For our purposes, the most interesting property of occurrence nets is that their 
sets of occurrence sequences and reachable markings can be easily characterised 
in graph-theoretic terms using the notions of configuration and cut. 

Definition 2. A configuration of an occurrence net is a set of events C satis- 
fying the two following properties: C is causally closed, i.e., if e G C and e' < e 
then e' G C, and C is conflict-free, i.e., no two events of C are in conflict. 
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Fig. 3. The unfolding of (A, is) 



In Figure H {1,3,4, 6} is a configuration, and {1,4} (not causally closed) or 
{1,2} (not conflict-free) are not. 

It is easy to prove that a set of events is a configuration if and only if there is 
an occurrence sequence of the net (from the default initial marking) containing 
each event from the set exactly once, and no further events. This occurrence 
sequence is not necessarily unique. For instance, for the configuration {1, 3, 4, 6} 
there are two occurrence sequences like 1346 or 3146. However, all occurrence 
sequences corresponding to the same configuration lead to the same reachable 
marking. For example, the two sequences above lead to the marking {j, <?}. 

Definition 3. A cut is a set of places c satisfying the two following properties: 
c is a co-set, i.e., any two elements of c are concurrent, and c is maximal, i.e., 
it is not properly included in any other co-set. 
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It is easy to prove that the reachable markings of an occurrence net coincide 
with its cuts. We can assign to a configuration C the marking reached by any 
of the occurrence sequences mentioned above. This marking is a cut, and it is 
easy to prove that it is equal to {Min U *C) \ C", where Min denotes the set of 
minimal places of the branching process. 

The following Proposition can also be easily proved by structural induction 
on branching processes. 

Proposition 2. A cut c of a branching process contains exactly one i-place for 
each component At- 

This result allows us to use the notation c = {pi, ■ ■ ■ ,Pn) for cuts. Since the 
place Pi is labelled by some state Si G Si, the tuple (si, . . . , s„) is a reachable 
global state of (A, is). The global state corresponding to the cut of a configura- 
tion C is denoted by GState{C). 

We take as partial order semantics of (A, is) its unfolding. The relationship 
between the interleaving and partial order semantics of (A, is) is given by the 
following result: 

Theorem 1. Let (A, is) be a synchronous product of transition systems. 

(a) Let C be a configuration of a branching process of (A, is). There is a state 
s of Aint, reachable from is, such that: (1) s = GState{C), and (2) for 
every eonfiguration CU {e} (e ^ C) there is a transition t of Amt such that 
a(t) = GState{C) and /3(t) = GState{C U {e}). 

(b) Let s be a state of Amt, reachable from is. There is a configuration C of the 
unfolding of (A, is) such that: (1) GState{C) = s, and (2) for every transi- 
tion t of Aint such that a(t) = s and P{t) = s' there exists a eonfiguration 
C U {e} (e ^ C) such that e is labelled by t, and GState{C U {e}) = s'. 

Informally, (a) means that the information a branching process has about 
Aint is correct, while (b) means that the unfolding has complete information 
about Aint (actually, the unfolding also contains “true concurrency” informa- 
tion). 

4 Constructing a Complete Finite Prefix 

We say that a branching process of (A, is) is complete if it contains complete in- 
formation about Aint, i-6., if condition (b) of Theorem^ which is always fulfilled 
by the unfolding, also holds for it| The important fact is that finite complete 
prefixes exist, the main reason being that the number of global states of (A, is) is 
finite. For instance, the prefix of FigureHcontaining the places {a, . . . , k,n, o,p} 
and the events {1, . . . , 7, 10, 11, 12} can be shown to be a complete prefix. 

® In fact, it is easy to see that a complete prefix contains as much information as the 
unfolding itself, in the sense that given a complete prefix there is a unique unfolding 
containing it. 
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In Q an algorithm is presented for the construction of a complete finite prefix, 
which improves on a previous construction presented in Q. The algorithm makes 
use of a so-called adequate order on the configurations of the unfolding. Different 
adequate orders lead to different versions of the algorithm, and also to different 
complete prefixes. Total adequate orders are particularly nice, since they lead 
to complete prefixes which, loosely speaking, are guaranteed not to be larger 
than the transition system ylm J In | a total adequate order for the unfoldings 
of Petri nets is presented. In this section we recall the algorithm of and 
then present a total adequate order for the unfoldings of synchronous products 
of transition systems. The additional structure of a synchronous product with 
respect to a Petri net leads to a simpler order, with a simpler proof of adequacy. 

4.1 The Algorithm 

Given a configuration C of the unfolding, we denote by C 0 if the set C U if, 
under the condition that (7 U if is a configuration satisfying C n if = 0. We say 
that C © if is an extension of (7, and that if is a suffix of (7 © if . Obviously, if 
C C C' then there is a suffix E of C" such that (7 © if = C". 

Now, let Cl and C2 be two finite configurations leading to the same global 
state, i.e. GState(Ci) = s = GState{C2)- The ‘continuations’ of the unfolding 
from the cuts corresponding to C\ and C2 (the nodes lying below these cuts) 
are isomorphic (see | for a more formal description). For example, in FigureJ 
the configurations {1,3,4} and {2,3,5} lead to the cuts (/,<?) and {h,i), which 
correspond to the global state ( 54 , r^). Loosely speaking, the continuations from 
these cuts contain the nodes below f,g and h,i, respectively (/, 5 and h,i in- 
cluded) . This isomorphism, say /, induces a mapping from the extensions of Ci 
onto the extensions of C2, which maps (7i © if onto C2 © I{E). For example, 
{1,3, 4, 7, 12} is mapped onto {2, 3, 5, 9, 15}. 

The intuitive idea behind the algorithm is to avoid computing isomorphic 
continuations, since one representative suffices. However, a correct formalisation 
is not easily achieved. It requires the following three basic notions: 

Definition 4 . A partial order -< on the finite configurations of the unfolding is 
adequate if: 

— it is well-founded, 

— it refines the inclusion order, i.e. C\ C C2 implies C\ © C2, and 

— it is preserved hy finite extensions, i.e. if C\ © C2 and GState{Ci) = 
GState{C2), then the isomorphism I above satisfies (7i © if ^ C2 (B I{E) 
for all finite extensions (7i © if of Ci. 



Definition 5 . The local configuration [e] assoGated to an event e of a branching 
process is the set of events e' such that e' < e| 



For a more precise statement see 
® It is immediate to prove that [e] is a configuration. 
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Definition 6. Let -< be an adequate order on the configurations of the unfolding, 
and let BP be a branching process containing an event e. The event e is a cut-off 
event of BP ( with respect to if BP contains a local configuration [e'\ such 
that G State {[e]) = GState{[e']) , and [e'\ A [e]. 

The algorithm is in fact a family of algorithms: each adequate order ^ leads to 
a different member of the family. It computes a branching process, and whenever 
it identifies a cut-off event it takes care of not extending the process behind it. 

input: a synchronous product (A, is), where is = {is \, . . . , isn)- 
output: a complete finite prefix of the unfolding of (A, is), 
begin 

bp := ({(isi,_L), . . ., (zs„,_L)},0); 
pe := PE{bp)-, 
cut-off := 0; 

while pe yf 0 do 

choose e = (t. A) in pe such that [e] is minimal with respect to A; 

if [e] n cut-off = 0 then 

extend bp with the event e and with a place (s, e) 
for every output place s of t; 

pe := PE{bp); 

if GState{[e\) = GState{[e']) for some event e' of bp then 
cut-off ■= cut-off U {e} 

endif 

else pe := pe \ {e} 

endif 
endwhile; 
return bp 

end 

One of the main results of ^ states that this algorithm is correct if ^ is 
an adequate order. The order ^ need not be total, but, loosely speaking, total 
orders lead to more cut-off events, and so to smaller prefixes. In fact, totality is 
a sufficient condition for the output of the algorithm to be at most as large as 
the interleaving semantics Amt- Weaker conditions achieve the same effect (the 
order need only be total among configurations with the same associated global 
state, a fact exploited in Q), but we do not need them here. 



5 Adequate Orders for the Unfolding of a Synchronons 
Prodnct 

In this section we introduce a total adequate order on the configurations of the 
unfolding of a synchronous product. The order is simpler to define and to prove 
adequate than the order introduced in Q for systems modelled by Petri nets. 



12 



Javier Esparza and Stefan Romer 



5.1 Local Views 

Our adequate order is based on the notion of local view of a configuration. Given 
a finite configuration C, we define its projection C\i onto Ai as its set of z-events. 
If we take C = {2, 3, 5, 8, 9, 13} in Figurefl then we have C|i = {2, 5, 8, 13} and 
C\2 = {3,5,9}. The events of C\i are totally ordered by the causal relation <. 
This is so because z-events are either causally related or in conflict (Proposition 
B, and the events of C|i are not in conflict because they belong to a configura- 
tion. We define: 

Definition 7 . Let C be a configuration, and let e\ < 62 <■■■ < be the result 
of ordering C\i with respect to <. The z-view of a configuration C , denoted by 
Vi{C), is the sequence tit2 . . .t^^, where tj is the global transition labelling the 
event ej. We denote by V(C) = (Vi(C), . . . , Vn{C)) the n-tuple of local views of 
a configuration. 

Intuitively, Vz(C') is the history of the computation as seen by the z-th compo- 
nent. In our example we have 2 < 5 < 8 < 13 for Cli and 3 < 5 < 9 for CI2. 
Furthermore, Vi(G) = ^2(^4, U2)t5ti and ¥2(0) = ui{t4,U2)u3. 

The definition of local view can be extended without problems to suffixes of 
configurations, for instance to the set {8,9}: We have then Vi({8,9}) = (t5,e) 
and V2({8,9}) = (e, ZZ3). In particular, for an event e = (t,X) we have that 
Vi{{e]) is the empty sequence if t(z) is an idle transition, and Vi{{e}) = t 
otherwise. 

The following result will be crucial: 

Theorem 2 . The mapping V is injective. 

Proof. Let Ci = C2 be two configurations such that V(Ci) = V(C2). We prove 
Cl = C2 by showing Ci = C and C2 = C, where C = C1DC2. By symmetry it 
suffices to prove C\ = C. We proceed by contradiction. 

Assume C ^ C\. Then C can be extended by an event e\ G C\\C. We prove 
Cl G C2, a contradiction to C = Cir\C2. Let ci = (t, Xi), where t = (ti, . . . , t„). 
Since t ^ (e, . . . , e) by the definition of global transition, some component of t, 
say U, satisfies \i{ti) ^ e. By the definition of local view, Vi{C) • t is a prefix of 
Vi{C\), and, since V(Ci) = V(C2) holds by assumption, also a prefix of V(C'2). 
So C can be extended by an event 62 G C2 such that 62 = (t, A2) for some co-set 
X2. We prove: 

— Xi and X2 are both labelled by *t. Follows immediately from Ci = (t, Ai) 
and 62 = (t, X2). 

— Each place of X\ U X2 carries a different label. Since both e\ and 62 extend 
the same configuration C, we have that Ai U A2 is a co-set. Since every co-set 
can be extended to a cut, we can apply Proposition^ 

It follows Xi = X2, which implies ei = 62. So ei G C2, and we are done. 
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In words, Theoremjstates that a configuration is characterised by its tuple 
of local views. If we let T* be the set of n-tuples whose elements are sequences 
of global transitions, i.e., T* = (T*)", then a tuple of local views is an element 
of T*. By Theorem^ an order ^ on T* induces an order on configurations: 

Cl Ac C2 if and only if V(Ci) A V(C 2 ) 

Moreover, if A is total, then Ac is total. 

5.2 Prom Orders on Local Views to Adequate Orders 

We identify sufficient conditions for an order A on T* to induce an adequate 
total order on configurations. We need to introduce some definitions. The con- 
catenation of two elements cr, r G T* is defined componentwise, and denoted by 
a ■ T. The partial order C on T* is defined as follows: cr C r if there exists a' 
such that T = (T ■ a' . In other words, a 'Q t ii each component of cr is a prefix of 
the corresponding component of r. 

We start with the following two observations, which follow easily from the 
definitions. 

Proposition 3. (1) If Ci C C 2 then V(Ci) C V(C 2 ). 

(2) V{C®E)=V{C)-V{E). 

Let us illustrate this result with configurations from Figure H Let Ci = 
{2, 3, 5, 8} and C 2 = {2, 3, 5, 8, 9, 13}. We have 

V(Ci) = {t2{t4, U2)t5, Ui{t4, U 2 )} 

V(C2) = {^ 2 (^ 4 , W2)t5^1j Ui(t4, ^ 2 )^ 3 } 

Furthermore, we have C2 = Ci (B E, where E = {9, 13}, and V(P) = {ti, U 3 }, 
and indeed V(C 2 ) = V(C'i) • V(P). 

We can now obtain sufficient conditions for the induced order Ac to be 
adequate and total: 

Lemma 1. Let A be an order on T* satisfying the following conditions: 

(1) ■< is well-founded; 

(2) ^ refines Q, i.e. a Q t implies a A r; 

(3) A is preserved by concatenation, i.e., if a ^ t then a ■ o' < t ■ o' for every 
a' G T*; 

(4) ^ is a total order. 

Then the induced order Ac is a total adequate order. 

Proof. We prove that Ac satisfies the properties of a total adequate order: 

(a) Ac is well-founded. Ci Ac C 2 ■ ■ ■ implies V(Ci) A V(C 2 ) A . . ., con- 
tradicting the well-foundedness of A. 

(b) If Cl C C 2 then Ci Ac C 2 . By Proposition Hi), V(Ci) C V(C 2 ). By (2), 
V(Ci) A V(C 2 ). By the definition of Ac, Ci Ac C2. 

(c) If Cl Ac C2 then Cl © F; Ac C*2 © E. If Ci Ac C2 then V(Ci) A V(C2). 
By (3), V(Ci) • V{E) A V(C2) • V{E). By PropositionH2), V(Ci © C) A 
V (C 2 © C). By the definition of Ac, Ci © if A C 2 © C. 

(d) Ac is total. Immediate from (4) and the definition of Ac- 
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5.3 Orders on T* Inducing Adequate Orders 

We describe in this section two total orders on T* satisfying conditions (l)-(4) of 
LemmaJ We start with an arbitrary total order on T, and use the following 
three auxiliary orders on T* : 

— the size order: a is smaller than r if |(t| < |r|; 

— the lexicographic order: a is smaller than r if cr is lexicographically smaller 
than T with respect to 

— the silex (size-lexicographic) order: a is smaller than r if \a\ < |r| or if 
\a\ = |r| and a is lexicographically smaller than r. 

Let us first consider the case n = 1, i.e, A contains only one component. We 
have then T* = T* , i.e., we look for an order on sequences of global transitions 
satisfying (l)-(4). It is immediate to see that the silex order does the job: the 
order C is in this case the prefix order on sequences, and the concatenation 
operation is just the ordinary concatenation of sequences. 

The silex order can be extended to an arbitrary number n of components in 
two different ways: 

Definition 8. Let a,r be elements o/T*. We say a t if there is an index 
\ < i < n such that u{j) = t(j) for all 1 < j < i, and a{i) is smaller than r(i) 
with respect to the silex order on sequences. We say a ^2 t if 

(a) there is an index 1 <i <n such that |cr(j)| = |r(_))| for all 1 < j < i, and 
kWI < k(i)l; or 

(b) |cr(z)| = |r(z)| for all 1 < i < n, and there is an index i such that a{j) = r(_j) 
for all 1 < j < i and a{i) is lexicographically smaller than T{i). 

It is only a small exercise to prove that and <2 satisfy conditions (l)-(4): 

Theorems. The orders and -<2 satisfy conditions (l)-(4) 0 / Lemma H 
Therefore, they induce total adequate orders on configurations. 

Proof. Let us prove condition (3) for the order -< 2 , the others being similar or 
simpler. Assume a ^2 t- We prove a • a < 2 T • a. Let a{i) be the first component 
of a such that cr(z) is smaller than r(z) with respect to the silex order. Consider 
two cases: 

— There is an index 1 < i < n such that |cr(_))| = |r(_))| for all 1 < _) < z 
and |cr(z)| < |'t(z)|. Then |cr(j)cr'(j)| = |T(j)(r'(j)| for all 1 < j < z and 
\a{i)a'{i)\ < |t(z)ct'(z)|. Hence a ■ a ~<2 t ■ a. 

— |cr(z)| = |r(z)| for all 1 < z < rz, and there is an index z such that a{j) = r(j) 
for all 1 < J < z, and (t(z) is lexicographically smaller than r(z). Then 
\a{i)a'{i)\ = |r(z)(r'(z)| for all 1 < z < rz, and there is an index z such that 

for all 1 < j < z and a{i)a'{i) is lexicographically 
smaller than r(z)(j'(z). Hence a ■ a ^2 t ■ a. 

This concludes the proof of adequacy of the two orders and ^ 2 - The 
proof consists of Theorem Q Lemma ^ and Theorem Q The latter two have 
very simple proofs, only Theorem^ requires a bit of ingenuity. 

Which of the two orders is more suitable for an implementation is a question 
of efficiency, and is discussed — together with other implementation points — in 
the next section. 
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6 Efficient Implementation of the Complete Finite Prefix 
Algorithm 

The algorithm presented in Section^Jis hopefully easy to understand. However, 
it is still far too abstract. It leaves the choice of the order ^ open, and it does 
not explain how to compute the functions PE and G State, nor how to compute 
a minimal event with respect to A. In the algorithm of Q the computation of 
the functions and the minimal event involved expensive forward and backward 
global searches in branching processes. The additional structure of synchronous 
products allows to compute GState and minimal events using new procedures, 
described in Sections ^3 and respectively. In Section 3'lso describe 

how to speed-up the computation of PE ; however, in this case the improvement 
does not exploit the structure of synchronous products, and can be used for Petri 
net systems as well. 

In the sequel, the abstract algorithm of the last section is called ‘the algo- 
rithm’. The concrete algorithm using the procedures just mentioned is called 
‘our implementation’. 

6.1 Computing a Minimal Event 

In order to determine the minimal event, our implementation maintains a queue 
of possible extensions sorted according to Ac- So we need a procedure to de- 
cide for two given configurations [ei], [62] whether [ei] Ac [62] or [62] Ac [ei]. 
For both A=Ai and A=A2 we face a trade-off between time and space. The 
fastest procedure is to attach to each event e in the queue the whole vector 
V([e]), which leads to a high memory overhead. The most economic procedure 
in memory terms is to recompute V ( [e] ) whenever it is needed by means of a 
backward search, a much slower solution. In our implementation we adopt an 
intermediate solution: We attach to each event e in the queue the integer vector 
(|Ui([e])|,...,|K([e])|). 

Once this design choice has been made, the order A 2 becomes superior to 
Ai. With a=A 2 , the vectors V([e]) and V([e']) have to be computed only if 
the integer vectors attached to e and e' coincide, which is rarely the case. With 
Ac=^i, we have to compute Vi([e]) and Vi([e']) if the first components of the 
integer vectors are equal; we have to compute V2([e]) and V2([e']) if Ei([e]) = 
Vi([e']) and the second components of the integer vectors are equal, and so on. 

6.2 Computing GState{[e\) 

Whenever the current branching process is extended with a new event e, the 
state GState{\e\) has to be computed in order to determine if e is a cut-off 
event or not. For that, we first compute the cut corresponding to [e]; the labels 
of the conditions of this cut are GState{\e\). Recall that the cut corresponding 
to [e] is given by {Min U [e]*) \ *[e], which provides a procedure to compute it. 
However, since it is too costly to store [e] for each event e, the procedure involves 
computing the events preceding e. 
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The additional structure of synchronous products allows to easily compute 
the cut of [e] from the cuts of the immediate predecessors of e, i.e., of the input 
events of e’s input conditions. Let us start with a definition and a lemma: 

Definition 9. Let p = (s, e) be an i-place of a branching process. The depth 
d{p) of p is recursively defined as follows: 

— If e = J-, then d{p) = 0; 

— If e = (t, Jf), then let p' be the unique i-place of X; define d{p) = d{p') + 1. 

Lemma 2. Let Ci, . . . ,Ck be configurations such that C = C\ U . . . U Ck is 
also a configuration. Let Ci be the cut corresponding to Ci, and let c be the cut 
corresponding to C . For every 1 < j < n, c(j) is the unique condition of the set 
{ci(j’), . . . , Cfc(j)} having maximal depth. 

Proof. Since all the elements of {ci(j), . . . , Cfc(j)} are j-places, they are causally 
related or in conflict (Proposition Since C is a configuration, they cannot 
be in conflict, and so they are all causally ordered. It follows that they all have 
different depths (notice that not all of Ci(j), . . . , Ck{j) have to be different, but 
of course all elements of {ci(j), . . . , Cfc(j)} are different by deflnition of set). 
So c{j) is well defined. We prove that c(j) belongs to the cut of C, i.e., that 
c(j) e (Min U C") \ ‘C. 

Assume without loss of generality that c(j) = Ci(j). Then we have c(j) € 
(Min U C*) \ *Ci. So c(j) G (Min U C*), and so c(j) G (Min U C"). It remains 
to prove c(j) ^ *C. Assume the contrary. Then there exists an index i such that 
c(j) G *Ci. It follows that the depth of Ci(j) must be greater than the depth of 
c(j), a contradiction. 

We can now compute the cut of an event e as follows: 

Proposition 4. Let e = (t, X) be an event, and let e\, . . . ,Ck be its immediate 
predecessors. The cut of [e] can be computed in two steps as follows: 

— Compute the cut of [ei] U . . . U [ck] using Lemma^^ let c be this cut; 

— For each output place p of e: If p is an i-place then replace the i-place of c 

by p. 

Proof. Observe that the output places of e belong to the cut of [e]. The rest 
follows easily from Lemmafland the definitions. 

Let us apply this Proposition to compute the cut of [16] in FigureO The 
immediate predecessors of event 16 are events 10 and 12. Their corresponding 
cuts are (n, g) and (f,p). We have d(n) = 4, d(g) = 2 and d(f) = 2, d(p) = 4. So 
the cut of [10] U [12] is (n,p). Now, the second step says to replace n by t and 
p by u. So the final result is (t,u). The fact that this is also the set of output 
places of event 16 is a coincidence. 

In order to apply Proposition H our implementation has to compute the 
depth of each place of the current branching process. Fortunately, this leads to 
no time overhead. Recall that in order to decide if [ei] -<c [ 62 ] we attach to 
each event e the vector (| Vi([e])|, . . . , |Ki([e])|). It follows immediately from the 
definitions that the depth of an z-place with input event e is equal to |Vi([e])|. 
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6.3 Computing PE{BP) 

The computation of PE{BP) is the most time consuming part of the algorithm. 
The computation is performed by considering each global transition t G T in 
turn, and computing the possible extensions of BP of the form (t,X). So the 
problem consists of finding all X C P such that (a) X is labelled by *t, and 
(b) AT is a co-set. Since the places of BP can be easily indexed according to 
the states they are labelled with, we search among all sets X satisfying (a) for 
those satisfying also (b) . The implementation stores the co-relation of the places 
contained in the current branching process. Therefore, whenever the process is 
extended by a new event e, it is necessary to compute the places of the process 
that are in co-relation with the output places of e (notice that these output 
places themselves build a co-set). 

A first procedure to compute this set of places applies the definition of the 
concurrency relation. Take the set of all places of the branching process, and 
perform the following steps: 

( 1 ) remove all places which are causally related with e*, by iteratively computing 
e’s immediate predecessors, their immediate predecessors and so on; mark 
along the way all the places having more than one successor; 

( 2 ) remove the successors of the marked places (not already removed in ( 1 )) ; 
these are the places in conflict with e*; 

(3) give as output the remaining set of places. 

To illustrate this procedure, assume that the current branching process is 
the prefix of FigureHcontaining events 1, 2, . . .11, and that event 12 is the new 
event. Step (1) removes {fc, 5 , c, a, e, &}, and marks a and e. Step (2) removes 
{d, h, i, I, m}. Step (3) yields {/, j, n, o}. 

In the worst case, these steps require to visit all nodes of the current branch- 
ing process, and since they have to be carried out whenever a new event e is 
added, the cost can be high. In the rest of the section we give a more efficient 
procedure. 

Proposition 5. Let e = (t, A) be a possible extension of a branehing proeess 
{P,E). Let p be an output place of e, and letp' G P be an arbitrary place, poop' 
holds if and only if p' is an output place of e different from p, or x cop' for every 
X G X. 

Proof, li p = p' then we are done, and so we consider only the case p ^ p' . Since 
e is a possible extension, p < p' cannot hold, and so we have p co p' ~^{p' < 
P V pffp')- So it suffices to prove: 

{p' < p V pffp') {p' ^ e*) A (3a; G X.x < p' V p' < xV xffp') 

(^>) We prove four statements: 

— p' < p ^ p' ^ e*. Obvious, because no two output places of e are causally 
related. 

— p' < p ^ 3x G X.p' < X. Since p has e as unique input event, the path from 
p' to p must necessarily contain e, and so it must also contain some input 
place of e, i.e., some element of X. 
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~ P#p' => p' ^ e* ■ Obvious, because no two output places of e are in conflict. 
“ pH^p' => 3a; S X.x < p' V a;#p'. Since p#p' there exist two paths from a 
condition p" to p and p' sharing only p" . If p" € X, then we have p" < p' , 
and by taking x = p" we are done. If p" ^ X, then the path from p" to p 
contains some element x of X, and so a;#p'. 

(<J=) We consider three cases: 

— p' ^ e* A 3a; € X.x < p' ■ Then there exist two paths from a; to p and p' 
sharing only x. So p#pb 

— p' ^ e* A 3a; G X.p' < x. Then, since x < p, we have p' < p. 

— p' ^ e* A 3a; S Jf.a;#p'. Since x < p and x4fp', we have p#pb 

If we assume that the co-relation is updated whenever a new event is added 
to the current branching process (P, E), then at the point of adding a new event 
e = (t, X) we can assume that we already know whether x cop' holds or not for 
every x € X and every p' G P. Updating the relation is now a simple matter. 
The following procedure takes care of it. 

Procedure Update((P, E), co, e = (t, Jf)) 
begin 

places := P; 

for every p £ P do 

for every a; G X do 

if ^(a; CO p) then places := places \ {p} endif 
endfor 
endfor; 

CO := CO U (e* x e*) U (e* x places) U {places x e*) 

end 

The operations in the procedure can be efficiently implemented using a 
bitvector co(p) for each place p. 

There is also an obvious improvement concerning recomputations of PE {BP). 
The algorithm computes PE{BP), extends /? by one event, say e, and recomputes 
PE {BP). This is very inefficient, since numerous possible extensions may be 
recomputed again and again. In fact, the only new possible extensions after the 
addition of e are those having e as immediate predecessor. When the first event 
of the queue of possible extensions is added to the current branching process, 
only new extensions having this event as immediate predecessor are computed 
and inserted in the queue. 

7 Experimental Results 

The abstract algorithm of section^Jwas originally introduced in Q for systems 
modelled by Petri nets. The same paper contained performance measures of an 
implementation, called Impl in the sequel. Since synchronous products can be 
given a Petri net semantics, as sketched in Section^ Impl can also be applied to 
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Table 1. Experimental results 





Synch. Prod. 


Impl 


Imp 12 


Imp2 


System 


Comp. 


Trans. 


Events 


Cut-ofTs 


Time 


Time 


Events 


Cut-offs 


Time 


DPH(7) 


15 


121 


40672 


21427 


623.79 


117.57 


19306 


9693 


22.39 


ELEVATOR(4) 


7 


939 


16935 


7337 


96.03 


24.32 


16935 


7337 


25.42 


KEY(3) 


8 


133 


6940 


2921 


16.38 


3.57 


7187 


3032 


2.44 


MMGT(3) 


7 


172 


5841 


2529 


7.88 


2.61 


5841 


2529 


2.18 


W) 


18 


194 


8402 


1173 


44.34 


12.67 


8030 


1125 


10.21 


RING(24) 


48 


264 


12745 


1082 


152.42 


33.90 


10722 


1082 


34.70 


RW(12) 


25 


313 


49177 


45069 


69.95 


22.61 


49177 


45069 


83.54 


BUFFER(240) 


240 


241 


28921 


1 


7098.06 


1980.78 


28921 


1 


34.81 


GYGLIG(IOOO) 


2000 


5999 


8996 


1001 


1372.24 


1338.36 


8996 


1001 


63.83 


SENTST(2000) 


2005 


2030 


2191 


40 


311.81 


186.65 


2030 


40 


8.33 



synchronous products. So it is possible to compare the performances of Impl and 
the implementation of Section^ called Imp2 in the sequel. The main differences 
between Impl and Imp2 are 

(a) Impl uses the adequate order of Q, while Imp2 uses A 2 ; 

(b) Impl computes the concurrency relation by the three-step procedure de- 
scribed at the beginning of Section ^3 while Imp2 uses the Update proce- 
dure; 

(c) Impl computes Marking {[e]) (the equivalent of GState{[e]) in 3) by means 
of a backward search, while Imp2 uses the procedure derived from Prop. 3 

The differences (a) and (c) are inherent to the change of model: Petri nets 
for Impl, and synchronous products for Imp2. On the contrary, the difference 
(b) is accidental: When Impl was programmed, we had not found the Update 
procedure. So it makes sense to consider a third implementation, Impl2, which 
coincides with Impl on (a) and (c), and with Imp2 on (b). 

We have chosen a set of benchmarks compiled by Corbett in 3l for ^ de- 
scription of the systems the reader is referred to 3 ri.nd 3- benchmarks 
are scalable. Table 3 displays the results of the experiments for some represen- 
tative cases. The experiments were carried out on a Sun Ultra 60 (295 MHz 
UltraSPARC-II) with 640 MB RAM using Solaris 2.7. The displayed data are 
the number of components and the number of global transitions of the prod- 
uct, the number of events of the complete prefix, the number of cut-off events, 
and the computation time (in seconds). The size of the unfoldings for Impl and 
Impl2 is always the same, since they both use the same adequate order. The 
benchmarks above the double horizontal line have a large ratio cut-offs/events, 
corresponding to wide but shallow prefixes, while those below have a small ra- 
tio, corresponding to narrow and deep prefixes. The results indicate that Imp2 
is indeed more efficient than Impl. A closer look, and a comparison with Impl2, 
indicates that: 

— For large cut-off ratios, the speed-up factor lies between 3 and 5, and it is 
due to the new procedure for the computation of the concurrency relation. 
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— For small cut-off ratios, the speed-up factor is of 1 to 2 orders of magnitude, 
and it is due to the new order, and to the new procedure for computing 

estate . 

These provisory conclusions still need to be tested on more examples. 

8 Conclusions 

We have adapted the unfolding technique to Arnold’s synchronous products 
of transition systems. The fact that a synchronous product consists of a fixed 
number of communicating sequential components has been used to simplify the 
unfolding procedure. We have obtained adequate orders simple to define and 
simple to prove correct. 

We mentioned in the introduction that Langerak and Brinksma have applied 
the unfolding technique to a CSP-like process algebra Q. The algebra has more 
modelling power than synchronous products; in particular, it is able to model 
nested parallelism, which synchronous products cannot. The price to pay is a 
more complicated adequate order than or -< 2 , although simpler than the 
order of Q for Petri nets. Together with ours, Langerak and Brinksma’s paper 
gives strong evidence that the unfolding technique can be applied to any model 
of concurrency allowing for a notion of independent actions. 

We have presented an efficient implementation of the abstract algorithm for 
the construction of a complete finite prefix, which improves on the implementa- 
tion of Q. The speed-ups can reach two orders of magnitude in very favourable 
cases. A speed-up factor of at least 3 to 5 is achieved in nearly all cases. 
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In this talk, translations between several models of concurrent systems are re- 
viewed c.q. proposed. The models considered capture causality, branching time, 
and their interplay, and these features are preserved by the translations. To the 
extent that the models are intertranslatable, this yields support for the point 
of view that they are all different representations of the same phenomena. The 
translations can then be applied to reformulate any issue that arises in the con- 
text of one model into one expressed in another model, which might be more 
suitable for analysing that issue. To the extent that the models are not inter- 
translatable, my investigations are aimed at classifying them w.r.t. their expres- 
siveness in modelling phenomena in concurrency. The results are summarised in 
the figure at the end of this paper. 

Starting point is the work of Nielsen, Plotkin and Winskel in which 
safe Petri nets are translated, through the intermediate stages of occurrence 
nets, prime event structures with a binary conflict relation, and their families of 
configurations, into a class of Scott domains. 




1 Prom Nets to Configurations 

In Van Glabbeek and Plotkin extensions of the translations above to 
unsafe Petri nets have been studied. For this purpose two different schools of 
thought in interpreting the causal behaviour of nets needed to be distinguished, 
which we called the individual and collective token philosophy. Their difference is 
illustrated by the following net. According to the individual token philosophy, A 




has an execution in which the action b causally depends on a, whereas according 
to the collective token philosophy, a and b are always causally independent. 
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In Meseguer, Montanari and Sassone ^ 3 , the unfolding from 
translating safe nets into the subclass of occurrence nets, is extended to arbitrary 
nets, while preserving the individual token interpretation. It follows that under 
this interpretation prime event structures are expressive enough to represent all 
processes expressible by Petri nets. 

Under the collective token interpretation there turn out to be nets whose 
causal behaviour cannot be faithfully represented by a prime event structure. 
Representative examples are the two nets below, modelling what I often call 





disjunctive causality and resolvable conflict, respectively. 

In WiNSKEL a more general notion of event structure is proposed, ex- 
tending the prime event structures with a binary conflict relation from 
along with matching generalisations of the families of configurations and Scott 
domains. These event structures capture disjunctive causality, but not resolvable 
conflict. 

The families of configurations of Winskel’s event structures were introduced 
merely to facilitate the construction of the Scott domains associated to these 
event structures. In Van Glabbeek and Goltz Q we found it convenient to 
use such families as a model of concurrency in its own right. In this context 
the families were called configuration structures. A configuration structure can 
be given by a set of events, modelling occurrences of actions the represented 
system may perform, possibly a labelling function, associating actions to events, 
and a collection of sets of events, the configurations, modelling the states of the 
represented system, and satisfying a number of closure conditions. A configu- 
ration represents the state in which the events it contains have occurred. The 
closure conditions ensure that each configuration structure can be regarded as 
the family of configurations of an event structure. 

In Q we proposed to drop the closure conditions, thereby obtaining a more 
general model of concurrency, capturing both disjunctive causality and resolvable 
conflict. The resulting configuration structures are, up to isomorphism, the exten- 
sional Chu spaces of Gupta and Pratt Q, but equipped with a slightly differ- 
ent computational interpretation. Through suitable translations we showed that 
these configuration structures are equally expressive as general Petri nets with- 
out self-loops. Such nets are called pure. To this end we defined a 1-oceurrence net 
to be a Petri net in which each transition can fire at most once, and we showed 
how any (pure) Petri net can be converted into a (pure) 1-occurrence net, using 
a construction we called 1 -unfolding. We argued that this conversion preserves 
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essential features of the represented system like causality and branching time. It 
may convert a finite net into an infinite one, however. The translations between 
pure 1 -occurrence nets and configuration structures take the transitions of the 
net to be the events of the configuration structure and vice versa; this way a con- 
figuration structure can be fully recovered from its Petri net representation. Our 
translations also extend the correspondence between flow nets and flow event 
structures proposed in Boudol Q. 

ST- configuration structures are a further generalisation of configuration 
structures in which the configurations may contain certain events ‘partially’ (in 
case they are currently being executed). They are (a mild generalisation of) 
what are called local event structures in Hoogers, Kleijn and Thiagarajan 
In forthcoming work, Gordon Plotkin and I extend the translations be- 
tween pure nets and configuration structures to translations between arbitrary 
Petri nets and ST-configuration structures, thus showing that also these models 
are equally expressive. The same was done, using a different construction, for 
general Petri nets without autoconcurrency in Q. We also propose a matching 
generalisation of the model of event structures. 

2 Scott Domains versus Process Graphs 

In ^ “curious mismatch” is observed between the domains that result from 
translating nets or event structures, and the ones originally studied by Scott 
^3. Although mathematically of the same nature, a domain that arises through 
the translations of represents a single concurrent system, namely the same 
one represented by the Petri net or event structure it originated from. In domain 
theory, on the other hand, processes show up at best as the elements of a domain. 
Thus the use of domains to represent concurrent systems is novel in Q. 

In most models of concurrency, attention is restricted to discrete processes, 
i.e. processes that can perform only finitely many actions in a finite time. Petri 
nets are commonly interpreted to represent discrete processes — this comes with 
the common definitions of the firing rule. On prime event structures the axiom of 
finite causes restricts attention to the structures representing discrete systems, 
and in Winskel’s general event structures discreteness is obtained by the way the 
notion of a configuration of an event structure is defined. A Scott domain is a 
partially ordered set, satisfying certain conditions. The finite elements in such a 
domain are the ones that dominate only finitely many other elements. A discrete 
Scott domain (resulting from translating a discrete event structure) has the prop- 
erty that its infinitary part is redundant, in the sense that it can be recovered in 
full from its finitary part (the partial suborder of its finite elements). The fini- 
tary part of a domain can, without loss of information, be trivially represented, 
and is often displayed, as an unlabelled rooted graph. Therefore I argue that 
the correspondence between event structures and domains proposed in Q, and 
generalised to all event structures in Q, can equivalently, or maybe better, be 
regarded as a correspondence between event structures and a class of unlabelled 
transition systems or process graphs. As remarked in Q, this correspondence can 
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trivially be extended to labelled event structures and transitions systems; the lat- 
ter are easier to label than domains. It follows immediately that process graphs, 
or labelled transition systems, are at least as capable of expressing causality as 
labelled event structures. 

The computational interpretation of domains, inherited from that of event 
structures, naturally applies to the process graphs corresponding with those 
domains. These graphs capture causality through confluence of squares of tran- 
sitions. This computational interpretation can be extended to process graphs 
that do not correspond to event structures or Scott domains. It can be seen 
as an enrichment of the classical interpretation of process graphs. Just like any 
process graph can be unfolded into a tree, while preserving its interleaving inter- 
pretation, I propose a causality respecting unfolding of arbitrary process graphs 
into so-called history preserving ones, which preserves transition squares. His- 
tory preserving process graphs generalise the Scott domains originating from the 
general event structures of They can also model phenomena like resolvable 
conflict that are not expressible by these event structures. 

Several brands of transition systems enriched with some auxiliary structure 
to capture causality have been proposed as models of concurrency, cf. the asyn- 
chronous transition systems of Shields and Bednarczyk Q, the behaviour 
structures of Rabinovich and Trakhtenbrot the concurrent transition 
systems of Stark Q and Droste, Q and the transition systems with indepen- 
dence of Nielsen and Winskel [J. In each of these cases the added structure 
does not fundamentally increase their expressiveness: after a suitable behaviour- 
preserving unfolding, the causalities expressed by this added structure are com- 
pletely determined by the underlying transition system, which always forms a 
history preserving process graph. 

Event automata, studied by Pinna and Poigne Q, fit between configura- 
tion structures and ST-conflguration structures. Through appropriate transla- 
tions these can be shown to be equally expressive as the so-called configuration- 
deterministic process graphs. Graphs which are not configuration deterministic 
do not correspond to nets or event-oriented models. Interestingly, translating 
back and forth between event automata and process graphs may repeatedly in- 
crease the number of events of the event automaton representation of the system 
in question, namely by spitting events into subevents that occur in disconnected 
parts of the system representation. Hence these translations cannot be expressed 
as reflexions or coreflexions in a suitable categorical framework. 

3 Higher Dimensional Automata 

The concurrent interpretation of process graphs allows one to think of squares 
and cubes as being “filled in” . Pratt proposes a geometric model of concur- 
rency^ refining this approach by not necessarily Ailing in all squares and cubes, 
but explicitly Ailing in only those that one wants to represent concurrency. Alter- 
native formalisations of this idea appear in Van Glabbeek Goubault and 
Jensen ^3 and Cattani and Sassone Q. Although the resulting model of 
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higher dimensional automata is more complicated than that of plain automata 
or process graphs, it is more expressive as well. The Petri net below, for in- 





stance, is expressible by a higher dimensional automaton in the form of a cube, 
as displayed above, of which all 6 sides are filled in (representing the 6 possible 
concurrent firings of two transitions, either before or after the third one fires), 
but the interior is not. The causal behaviour of this system cannot be repre- 
sented by a process graph, and hence neither by an event automaton, nor by a 
pure Petri net. Process graphs and the mentioned transition systems with ex- 
tra structure to capture causality can be regarded as one- and two-dimensional 
automata, respectively. 

A representation of higher dimensional automata in which the names of both 
events and actions are incorporated, is given by labelled step transition systems 
(LSTSs), see also Badouel Q)]. These naturally unfold into (alternative rep- 
resentations of) ST-configuration structures. Petri nets translate to LSTSs by 
taking their marking graphs; LSTSs translate to higher dimensional automata 
as in I by forgetting event names (but remembering their labels). 

Ehrenfeucht and Rozenberg Q characterised which process graphs can 
be obtained as the marking graphs of a safe nets. Likewise, Mukund charac- 
terised which LSTSs can be obtained as the step marking graphs of general Petri 
nets. Both papers also yield translations back from (step) transition systems to 
nets, but only for systems in the characterised class. More general translations 
from LSTSs to nets can be obtained through unfolding. 
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Abstract. The 7r-calculus Q has introduced in concurrency the concept 
of link mobility, namely the possibility of communicating values which 
can afterwards be used as communication means (i.e. channels). Since 
the original work on the 7r-calculus, many variants and related paradigms 
have been introduced, including the asynchronous 7r-calculus the 

TT-calculus with input-guarded choice H^he 7r-calculus with internal 
communication the Fusion Calculus^^, and the Join Calculus 
In general, these variants introduce restrictions that allow for a simpler 
formal treatment, and/or a more direct modeling of some of the features 
of distributed systems (like asynchronous communication). 

Some recent results suggest that the expressive power of these vari- 
ants can be very different when distribution constraints are taken into 
consideration. In this talk, I will focus on the relative expressiveness 
of some of these variants, and discuss possible approaches to their dis- 
tributed implementation. 
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Abstract. In this tutorial we describe general approaches to deciding 
bisimilarity between vertices of (infinite) directed edge-labelled graphs. 
The approaches are based on a systematic search following the definition 
of bisimilarity. We outline (in decreasing levels of detail) how the search 
is modified to solve the problem for finite graphs, BPP graphs, BPA 
graphs, normed PA graphs, and normed PDA graphs. We complete this 
by showing the technique used in the case of graphs generated by one- 
counter machines. Finally, we demonstrate a general reduction strategy 
for proving undecidability, which we apply in the case of graphs generated 
by state-extended BPP (a restricted form of labelled Petri nets). 



1 Bisimulation Equivalence 

The bisimulation game is played on a “board” which consists of a (generally 
infinite) directed edge-labelled multigraph (several edges can lead between two 
vertices), simply called a graph in the following. We assume that this graph is 
labelled from a finite set of labels, and that it is finite- branching: that every 
vertex has finite out-degree. In particular, it is image-finite: for every vertex 
E and every label a, the set sucCa{E) = {F : E F} is finite. We also assume 
that these successor sets are effectively constructible. 

A game is defined by two vertices Eq and Fq of a graph, as well as a prede- 
termined time limit n G N U {tu} (where N = {0, 1, 2,3,.. .}); we specify such a 
game by Gn{Eo, Eq). We have two players competing in the game whom we re- 
fer to as Alice (the “Attacker”) and Bob (the “Bisimulator”). Their individual 
goals are as follows: 

1. Alice wants to show that Eq and Eq are in some sense “different”. | 

^ 2. Bob wants to show that Eq and Fp are in the same sense “the same”. J 
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The sense in which two vertices are deemed to be the same is given by the rules for 
playing the game. A play of the game is a sequence of pairs {Eq, Fq) (Ei,Fi) ■ ■ ■ 
of length <(l+n), with the next pair in the sequence after (Ei,Fi) arising as 
follows: 



1. Alice chooses an edge Ei A Ei+i or Fi Ti+i; 

2. Bob chooses a matching edge Ti A or Ei Ei+i. 



Alice is thus acting as an attacker, trying to choose an edge leading out of one 
of the vertices which she believes cannot be matched by any edge (with the 
same label) leading out of the other vertex; Bob on the other hand is defending 
his thesis that the vertices are equal, that any edge leading out of either of the 
vertices has a matching edge leading out of the other vertex. Alice wins a play 
of the game if Bob ever gets stuck (that is, if he cannot respond to a move by 
Alice); and Bob wins any play of length n (that is, any “timed-out” play in 
which the players have exchanged n moves) as well as any play in which Alice 
finds herself with no move possible (that is, if there are no edges leading out of 
either of the two specified vertices). 

We are interested in knowing if Bob has a winning (i.e., defending) strategy 
for the game Gn{Eo, Eq), that is, if he is able to win any play of the game 
regardless of the moves made by Alice. To this end, we make the following 
definitions. For tiGN, we say that Eq and Eq are n-game equivalent (written 
Eq Eq) iff Bob has a winning strategy for the game Gn{Eo, Eq)-, and we 
say that Eq and Eq are game equivalent (written Eq ^ Eq) iff Bob has 
a winning strategy for the game Gui{Eq, Eq). The relation ^ is referred to as 
bisimulation equivalence, or bisimilarity. Before proceeding, it is worth 
recording the following straightforward facts. 



Fact 1. and ~ are equivalence (reflexive, symmetric, transitive) relations. 



Fact 2. ~o 2 ~i 2 ~2 2 ~3 2 ■ • ■ 2 ~- 

The following fact gives us an inductive characterisation of the finite-game 
equivalences. 

Fact 3 (“Stratified Bisimilarity”). 

A.Er^oF for all E,F. ^ 

2. iff 

(a) if E df E' then F F' with E' F' ; 

(b) if F F' then E E' with E' y 

FactHcan be used as the basis of a recursive algorithm for determining if E 
F, that is, if Bob has a winning strategy for Gn{E, F). Less obvious is how to 
devise an algorithm for determining if if ~ F. As a start, the following fact gives 
us a coinductive characterisation of the infinite-game equivalence. 
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Fact 4 (“Bisimilarity”). 



~ is the largest relation = satisfying: if E = F 

1. if E' then F ^ F' with E' = F' ; 

2. if F F' then E E' with E' = F' . 



thert^ 






The characterisation given in FactOdoes not in general give rise to any effective 
procedure for determining \i E ^ F . However, given our assumption of image- 
finiteness, we can use the following fact to exploit the finite-game characterisation 
of Fact^to verify that if / F. 



Fact 5. For image- finite graphs, ^ 

Hence in the case of image-finite graphs, the non-equivalence problem E F is 
semi-decidable: we simply use Fact^to find the smallest n such that E F. 

We can be more explicit as to what constitutes a winning strategy for Bob 
for the game Gui{Eq, Fq); this is a set B of pairs of vertices containing (Fq, Fq) 
which satisfies the following property: 

For every pair (F, F) G B, 

1. if fAf' then F A F' with {E' , F') € B; 

^ 2. if FAf' then F A F' with {E',F')^B. ^ 

That such a set constitutes a winning strategy for Bob is clear: he merely uses 
this set to choose matching edges, maintaining the invariant that the pair offered 
to Alice is in the set B. Furthermore, if Bob has a winning strategy for the game 
Gui{Eq, Fq), then this strategy can be represented by such a set: we merely take 
the collection of all pairs which appear after every exchange of moves during any 
and all plays in which Bob uses this strategy. A set B which satisfies the above 
property is referred to as a bisimulation relation. Thus ^ is the maximal 
bisimulation and the following is apparent. 



Fact 6. ^ is the union of all hisimulation relations (winning strategies for Bob) . 



2 Decidability 

Deciding whether or not Eq ~ Fq amounts to deciding whether or not there 
is a bisimulation relation containing the pair (Fo,Fo). A straightforward idea 
for tackling this problem is to employ some systematic search for such a poten- 
tial bisimulation. In Section ^3 we describe a general procedure which arises 
naturally from the definition of a bisimulation, and demonstrate its (modified) 
use in various contexts, particularly in Section ^3 for classes of graphs deter- 
mined by various process algebras. In Section^^we outline a different approach, 
exemplified on the class of graphs generated by one-counter machines. 
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2.1 Expansion Trees 

Given two sets B and A of pairs of vertices, A is called an expansion of B 
iff it is a minimal set (wrt inclusion) satisfying the following property: 

For every pair (E , F) € B, 

1. if E^E' then F A F' with {E\ F') G A; 

^ 2. if F A F' then F A F' with (F', F') G A. ^ 

Note that a nonempty set fails to have an expansion precisely when it contains 
a pair {E',F') such that E' F'; and it has (the single) expansion 0 iff it 
contains only pairs of vertices with out-degree zero. Note further that, due to 
our image-finiteness assumption, a finite set has only finitely many expansions, 
all of which are finite. 

Comparing this definition to that of a bisimulation relation, we observe that 
a bisimulation relation (containing) B must contain some expansion A of B. The 
following fact then becomes apparent. 

Fact 7. If A C B and A is an expansion of B then B is a bisimulation 
relation, and hence B C 

More generally, to decide if Eq ~ Fq, that is, if there is a bisimulation B con- 
taining the pair (Fq,Fo), we might try to expand = {(^Oj.Fb)} recursively 
(find an expansion A^^i of Ak for each k = 0,1,2,...) and hope to arrive at a 
set An C F = Ufc<n ™ case, some A C B would be an expansion of B, 
so Factjwould give us that F C ~, in particular, that Eq ~ Eq. 

Following this idea, we adapt from Hirshfeld Q the idea of an expansion 
tree, which is a (generally infinite) tree whose nodes are (labelled by) sets of 
pairs of vertices, in which the children of a node are precisely the (finitely many) 
expansions of that node. The empty node is an example of a leaf (it has no 
successors) and is deemed to be successful', all other leaves are unsuccessful. 
We say that a branch (a full path through the tree) is successful iff it is infinite 
or finishes with a successful node; otherwise it is unsuccessful (it finishes with 
an unsuccessful node) . We observe that the union of the nodes along a successful 
branch constitutes a bisimulation, and the following fact thus becomes apparent. 

Fact 8. Eq ~ Eq iff the expansion tree rooted at {(Fo,Fo)} has a successful 
branch. 

Note that in the case Fq / Fq, the expansion tree rooted at (Eq,Eq) is neces- 
sarily finite, and hence semidecidability of nonbisimilarity once again becomes 
apparent. 

In general, we can search for a (finite) successful branch using breadth-first 
search (recall that the tree is finite branching). This is surely sufficient in the 
case of finite acyclic graphs, where the expansion trees are always finite; the 
search of the expansion tree rooted at {(Fo,Fo)} either finds a successful leaf 
(in which case Eq ^ Eq) or terminates having found only unsuccessful leaves (in 
which case Eq / Eq). 
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Example 1: Finite acyclic graphs. 

In this example, we have a finite acyclic graph containing vertices X, A 




and A! (amongst others), and we demonstrate that X A and A ^ A! , by 
building the expansion trees rooted at {(X, yl)} and {(^, A')}, respectively. 
The first tree has only one leaf, which is unsuccessful, while the second tree 
has two leaves, one of which is successful (the other not). 



The naive procedure described above is of course of little use if the expansion 
tree of interest has infinitely many nodes. To handle such cases, we shall devise 
techniques for modifying the tree during construction. What we aim for is an 
effective construction of a tree which is still finite branching, still has only finite 
nodes, and such that Fact^is maintained: that our pair of vertices is bisimilar 
iff there is a successful branch in this tree. Finally, we further aim to achieve the 
finite witness property, if there are successful branches, then at least one of 
these is finite. This property will ensure decidability, as the breadth-first search 
must either find this finite witness or terminate having discovered all branches 
are unsuccessful. 

The modifications are accomplished through the use of rules which alter the 
definition of the children of a node in the tree and are safe, meaning that they 
maintain FactJ To suggest such rules, we first observe the following. 

Fact 9. For any node A^% and any n G N, 

^n+i iff A has a child C C 

As a consequence, A C ~ iff A has a child (7 C 

This fact implies Factjand hence any rule which respects it maintains safeness. 
Furthermore, the least n such that E F for some pair {E, E) in a node 
gives an upper bound on the depth of the subtree rooted at this node; in other 
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words, if the subtree rooted at B is of depth n, then E F for all {E, F) in 
B. Therefore, any application of the following “abstract” rule maintains Fact| 
(and is hence safe); it can only diminish the size of the tree. (By we mean 
the union of all ancestor nodes to ^.) 

Omitting Rule: We can omit from a node A any pair {E, F) whenever 
there is B C such that Vn G N, if B C then E F. 

We call this rule abstract since it is in general not effectively computable. A 
concrete, that is, effectively computable, instance of this rule, based on the fact 
that the relations are equivalences, is provided by the following. 

/■ \ 

Equivalence Rule: Omit from node A the pair {E, F) if it belongs to 

the least equivalence containing A^ . 

This rule, for example, allows us to omit reflexive pairs (E , E) from expansion 
sets, as well as pairs (E , F) which have appeared in some ancestor node either 
as {E, F) or symmetrically as {F, E). However, there are only finitely many non- 
reflexive pairs in the equivalence generated by the flnitely-many ancestor pairs; 
these pairs can be easily computed, showing that this rule is effective. As such, 
the rule is not too powerful; essentially, it only allows us to handle finite graphs. 



Example 2: Finite graphs. 

In this example, we have a graph similar to that of Example 1 but with 







cycles introduced. Using our newly-introduced simplification rule, we get 
the same expansion tree as in Example 1 to show that A / A, and the 
given expansion tree to show that A ~ A'. 



Note that this is by no means the most efficient algorithm for this problem; 
better algorithms based on partition refinement have been devised ^3^3- We 
merely present this as a basic application of the general method (which we shall 
apply to various classes of infinite graphs) . 

Finally, note that the union of the nodes along a successful branch need 
no longer be a bisimulation; it is now a set B which is guaranteed to have an 
expansion A such that for all n G N, B C implies A C (which implies 
that B C Sets with this property are also the outcomes (when the input pair 
is bisimilar) of the algorithms outlined further in the following sections. 
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2.2 Process Algebras 

In this section we consider bisimulation equivalence over graphs generated by 
(subalgebras of) the process algebra PA. A PA graph is defined by a finite set 
of productions of the form X a, where X ranges over a finite set V of vari- 
ables (there is at least one production for each X G V), a ranges over a finite 
set S of labels, and a ranges over the terms of the free algebra over V gen- 
erated by a non-commutative associative operator (representing sequential 
composition) and a commutative associative operator “|” (representing parallel 
composition); we take e as the empty term. We shall usually drop the operator 
thus representing the sequential composition of terms by concatenation. The 
vertices are given by the terms of the algebra, and the edges are specified by 
the production rules as extended to terms as follows: ii a P then a-j — > /3-7 
and a |7 /3|7 (recall that | is commutative). The subcases of BPA graphs 

{Basic Process Algebra) and BPP graphs {Basic Parallel Processes) 
are specified by taking terms from the free algebra over V generated by only one 
of these operators, in the case of BPA and “|” in the case of BPP. 

As there are only finitely many productions, the graphs are quickly seen to be 
finitely-branching (and hence image- finite); and taking the algebraic structure of 
terms into consideration, we can readily verify (by induction) that the relations 
'^n (and hence also ~) are not just equivalences over terms but congruences with 
respect to the two operators. Hence we can immediately introduce the following 
safe abstract rule, which is a special instance of the Omitting Rule. 

Congruence Rule: Omit from node A the pair {a, P) if it belongs to 
the least congruence containing A^. 

Again, the rule is called abstract since we do not claim its effectiveness in 
general. However, restricting ourselves to BPP, we notice that the terms can 
be viewed as nonnegative integer vectors (elements of for k = |P|), and we 
thus work with finitely generated commutative semigroups, FGCSs (monoids, in 
fact). Decidability of the word problem for FGCSs (its EXPSPACE-completeness 
is shown in |3) implies that the Congruence Rule is effective for BPP. More- 
over, the result that every congruence on a FGCS is finitely generated (so 
we cannot have an infinite sequence of strictly increasing congruences) shows 
that applying the rule makes (all branches of) our tree finite. 

However, this is not how decidability was originally proved by Christensen, 
Hirshfeld and Moller The ingeniously simple rule underlying this algorithm is 
given next. We suppose (by symmetry) that all pairs {a, P) in nodes are ordered 
lexicographically: a <l P; note that <l is a well ordering. The rule is then as 
follows. 

^BPP Rule: Do not include a pair {a',P\"/) in a node A when some^ 

{a, P) is in A^; instead consider the pair (a',a| 7 ) (or the symmetric 
^ pair, depending on <l)- y 

The rule is obviously effective; it gives rise to a finite chain of considerations 
(for ever smaller, in <l, right-hand sides) and finishes either by including a pair 
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which has “no bigger” right-hand side than any pair in or by including 
nothing (due to reflexivity). Dickson’s Lemma Q (that every infinite sequence 
in has an infinite increasing subsequence) then guarantees the finiteness of 
every branch (every infinite branch is transformed into a finite successful one) 
and hence the finiteness of the whole tree. Furthermore, the safeness of this 
rule is guaranteed by the congruence property: if a /3, then ajy /3|7, so 
a' a|7 iff a' /3|7. 

Remark. Basing on Dickson’s Lemma only, we cannot provide a primitive 
recursive bound for the length of branches; nevertheless it is well possible that a 
detailed analysis of the special case for BPP would reveal an elementary bound 
(bounded number of exponentiations). 

Remark. Note that this idea (of lexicographic ordering together with Dickson’s 
Lemma) has been used by Hirshfeld Q to give a short self-contained proof that 
every congruence on a FGCS is finitely generated. 

In fact, knowing that ~ is a finitely generated congruence gives rise to another 
semidecision procedure for a ^ /3: “guess” (i.e., systematically search for) a 
finite set B of pairs including {a, P), and an expansion ^ of i? together with the 
proof that A is included in the least congruence containing B. This semidecision 
procedure can be combined with the semidecision procedure for the negative 
question described earlier to yield a decision algorithm. 

Unlike the case for BPP, for BPA algebras (noncommutative semigroups) we 
have non-finitely generated congruences (and the word problem is undecidable; 
see references in ^]). For example, in the free semigroup generated by {a, b}, the 
infinite sequence (5a5, baab), {baab, baaab ), . . . , (6a®5, . . . has the property 

that every element does not belong to the least congruence generated by the pre- 
decessing elements. Nevertheless, Christensen, Hiittel and Stirling Q show that 
bisimulation equivalence on any BPA graph is a finitely generated congruence. 

Given this fact, we can simply use the idea of combining two semidecision pro- 
cedures as above. Nevertheless, we give a collection of safe and effective rules for 
modifying the expansion tree which illustrate the use of certain decompositions, 
that is, replacing “large” pairs by “smaller” ones. The rules will be instances of 
the next abstract rule. 

^Replacing Rule: To a node A, we can add a new sibling node where^ 
we replace a pair (if, F) by a (finite) set S of pairs when there is B C 
^ such that for all n € N, if R C and S C then E F. y 

This rule is readily seen to be safe. Furthermore, if each of two siblings arises 
from the other through the application of this rule, then we can omit one of 
them; in this sense, the BPP Rule given above is a special instance of this rule. 

Before giving our rules, we make the following technical definitions. We say 
that a term (sequence of variables) a is normed iff there is a path in the graph 
from a to e; we denote by norm(a) the length of a shortest such path. If a is not 
normed, then we say that it is unnormed, and we note that a ~ a/3 whenever 
a is unnormed. Hence we can assume that every term is of the form a or exX 
where a is normed and A is unnormed. 
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BPA Rules: \ 

1. If {Xa, Y f3) is in A and some (Aa', Y f3') is in , then we create a 
sibling node for A containing (a, a') and (/3, /3') instead of {Xa,Yf3). 

2. If (Xa,Y/3) is in A where X and Y are normed, then we create 

sibling nodes containing (“decomposition pairs”) (X,Yj), 
instead, where norm(X) = norm(y 7 ) (there are only finitely many 
of these). / 



The symmetric rules, and the use of the Equivalence Rule, are supposed im- 
plicitly; the safeness is readily verified. Since the rules apply recursively to all 
newly-created sibling nodes, the finite-branching of our tree can be cast in doubt. 
But we can demonstrate that the (modified) tree is finitely branching by using 
the following measure of size. We take size(a,/3) = max{xnorm(a), xnorm(/3)} 
where for normed 7 and unnormed X, xnorm( 7 ) = xnorm( 7 A) = norm( 7 ). 
There are only finitely many pairs with size < n (for any n), and we observe 
that the size of any pair in any node created due to A is bounded by the maxi- 
mum size in A U A'^ . In this sense we replace “large” pairs by “smaller” ones. 

The finite- witness property is then guaranteed as follows. Suppose there is an 
infinite branch but no finite successful branch. Then we could extract an infinite 
sequence of pairs (Xai, T/3i), {Xa 2 , YP 2 ), ■ ■ ■ with Ofi/oj or Pi'/'Pj for each zyfj 
which are non-decomposable in the above sense, but for which Xat ^ Y (3i for 
each i; this leads to a contradiction Q (due to image-finiteness) . 

Remark. Again, this idea provides no reasonable complexity bound. However, 
the problem is studied in more detail by Burkart, Caucal and Steffen Q, where 
the algorithm is modified to operate within an elementary bound. 



Remark. We have exploited certain decomposition properties for BPA. In the 
normed case, both for BPP and BPA, a unique decomposition (into “prime” 
processes as defined by Milner and Moller ^Q) is guaranteed, which Hirshfeld, 
Jerrum and Moller exploited to give (nontrivial) proofs that polynomial- 

time algorithms exist for these cases. 



Finally, for the case of PA, the answer is known only in the normed case. 
Hirshfeld and Jerrum | use, in principle, the idea of the modified expansion 
tree, having found sufficient rules for replacing “large” pairs by “smaller” ones 
which induce them. They furthermore establish a bound for the “largeness” of 
the resulting pairs, which results in an upper bound on the complexity. The 
proof makes substantial use of the decomposition properties of BPA and BPP; 
but the main challenge is to handle “mixed pairs” (a-a', /3|/3'); it turns out that 
such (bisimilar) pairs have a surprisingly rich structure. Furthermore, it is not 
clear if ~ is a finitely generated congruence in the case of (normed) PA. The 
nodes of the tree in Q are no longer just finite sets of pairs, but they can also 
contain “schemes” representing infinite sets. 

Remark. The authors of Q do not expect their technique to be directly gen- 
eralized for the whole class of (unnormed) PA graphs. They illustrate our still 
insufficient insight by noting that a polynomial algorithm as well as undecidabil- 
ity are still possible in this case. 
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2.3 State-Extended Process Algebras 

Richer classes of graphs have been studied, arising from process algebras by 
adding a finite-state control. Formally, the productions are of the form pX qa 
where p and q denote states of the finite control. The extension to terms is as 
follows: if pa q/3 then p{a-j) q{P-j) and p{a\j) q{^\j). 

State- extended BPA graphs are also called PDA graphs (from push- 
down automata). Though language equivalent to BPA, they constitute a richer 
family of graphs, and to solve the decidability question for bisimilarity needs 
more insight. Stirling proves the decidability in the normed case; a PDA 
vertex pa is deemed to be normed iff for any qP which is reachable from pa 
there is some q'e reachable from qP. 

Stirling also invents a way how to replace “large” pairs {pa, qP) by “smaller” 
ones. To this aim he introduces special stack symbols (constants) which enable 
to finitely describe (infinite) “regular behaviours” of the (suffix of the) stack and 
enable a “congruence property” (wrt “stacking”). He shows that it is sufficient 
to have finitely many such constants but gives no bound on their number, so no 
bound for the complexity is provided. 

Remark. Very close to this topic is the long-standing open problem of the 
decidability of language equivalence for deterministic pushdown automata, which 
has only recently been solved (positively) by Senizergues [J. The full version 
of his proof is more than 70 pages, and still longer is his announced proof for 
decidability of bisimilarity for the whole class of PDA graphs. Based on insight 
got from Senizergues’ proof and on the techniques which we have sketched above, 
Stirling provides (in May 1999) a much shorter proof (approx. 20 pages) of 
DPDA-equivalence, and conjectures that his “structural” technique will yield a 
shorter proof of decidability of bisimilarity as well. 

Here we describe in more detail the case of graphs generated by one-counter 
machines. It is a subcase of PDA, where all considered graph vertices are of the 
form pXX ■ ■ ■ XZ, and the productions are of the appropriately restricted form; 
here the number of symbols X is interpreted as the value of the counter while Z 
is a special “bottom-of-stack” symbol allowing to test for zero. We use the more 
natural notation p{m) to denote the vertex pX'^Z. 

A decidability proof is given by Jancar however, in view of the above 
Remark, it is (probably) subsumed by more general results. Nevertheless the 
technique in is different from what we mentioned so far, and fairly simple to 
describe. Moreover, it is more amenable for yielding a complexity bound in this 
(sub)case. Performing again a systematic search, the algorithm constructs (in 
the case when the given pair is bisimilar) a finite representation of a (generally 
infinite) bisimulation relation (not using the “large-replace-by-small” approach) . 

Remark. This approach could be again illustrated on BPP. Here ~ is a con- 
gruence and every congruence on a finitely generated commutative semigroup is 
semilinear Q (see ^ for a short proof). The property of a semilinear relation 
being a bisimulation is easily seen to be expressible in Presburger arithmetic. 
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Hence due to its decidability (see, e.g., ^3)’ semidecidability of bisimilar- 
ity for BPP can be shown as follows: systematically generate descriptions of all 
semilinear relations and check for each of them if it is a bisimulation containing 
the given pair. 

Considering (pairs of) one-counter processes (i.e., vertices in a respective 
graph), a conceptual advantage is that we have a natural presentation in terms 
of “colouring” the set N x N (viewed as the integral grid in the first quadrant 
of the two-dimensional plane). By a colouring with colours from a finite set 
C we mean a function c : N x N — > C. Given a one-counter machine M (that 
is, the respective collection of PDA productions) with control state set Q, by 
a colouring c related to M we mean any colouring arising as the product 
c = Yip q^Q where C(p_g) : NxN ^ {black, white}. Such a colouring c 
represents the relation TZc on the set of vertices of the respective graph as 
follows: p(m) 7?.c 9 (n) iff C(^p^q){m,n)=black. 

We distinguish the colouring c^ representing bisimulation equivalence: 

„M _ TT „M 

^ 11 ^(P.9) 

P.geQ 

where = black iff p{i) - q{j) and c^^q){i,j) = white iff p{i) / q{j). 

The key fact here is the following. 



Fact 10. For a one-counter machine M, the colouring c^ is regular. 

Here by a regular colouring we mean a colouring arising from a periodic 
“background” colouring by changing the colours in finitely many belts (whose 
slopes are nonnegative rational or oo) so that each belt colouring is periodic as 
well, and by final recolouring of an initial square. The following pictures illustrate 
these notions. 




A periodic colouring. 




Scheme of a regular colouring. 



Therefore, knowing Fact ^3 we can generate all (descriptions of) regular 
colourings c (related to M) and check for each of them whether TZc is a bisimula- 
tion relation containing the given pair (this is straightforward since it is sufficient 
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to check just finitely many pairs, due to the periodicity). This gives a semideci- 
sion procedure for bisimilarity. (It can be presented as a decision procedure as 
in where a similar technique for simulation is used.) 

The idea behind the technical details showing Fact can be sketched as 
follows. If p{m) and q{n) are bisimilar then their distances (i.e., lengths of short- 
est sequences) to certain vertices with 0 as the counter value must be the same. 
Such distances are, in principle, linear in the counter value, and the constraint of 
the mentioned equality yields the linear belts. Periodicity (inside the belts and 
on the background) then follows from some simple observations. 

Remark. As mentioned above, a complexity bound can be achieved by a more 
detailed analysis; nevertheless, it was not done in 

3 Undecidability 

We certainly cannot expect bisimulation equivalence to be decidable for a class 
of graphs representing systems which are able to faithfully model universal de- 
vices, in particular Minsky machines which are simple straight-line pro- 
grams which operate on nonnegative counters. It is sufficient for us to assume 
just two counters, initialized to 0, since the halting problem is undecidable even 
in this simple case. Formally, a Minsky machine M is a sequence of labelled 
instructions 

Xo : commo ; Xi : commi ; • • • X„_i : comm„_i ; X„ : comm„ 

where each of the first n instructions is either of the form 

: Co := Cq-I- 1; goto Xj or X^ : Ci := Ci-|-1; goto Xj 

or of the form 

X^ : if Co = 0 then goto Xj or X^ : if Ci = 0 then goto Xj 
else Co := Co— 1; goto Xfc else Ci := Ci — 1; goto Xfc 

The machine M starts executing with the value 0 in the counters co and ci 
and the control at label Xo. When the control is at label X^ (0 < .^ < n), the 
machine executes instruction comm^, appropriately modifying the contents of 
the respective counter and transferring the control to the appropriate label as 
directed by the instruction. The machine halts if and when the control reaches 
the halt instruction at label X„. 

State- extended PA can easily model Minsky machines, as we can use the 
parallel composition of two sequential terms {XX . . ,XZ)\ {YY .. .Y Z) to model 
the two counters in the obvious way. So a straightforward reduction from the 
halting problem shows undecidability of bisimilarity for state-extended PA. Re- 
call that there is no such reduction for (normed) state-extended BPA, that is, 
for (normed) PDA, due to the decidability in that case, which we discussed in 
Section 2.3. However, it turns out that state- extended BPP — which we fur- 
ther denote MSA {multiset automata ) — allow for such a reduction, even in 



42 



Petr Jancar and Faron Moller 



the normed case, though they cannot faithfully model Minsky machines. They 
represent a subclass of labelled place/ transition Petri nets and thus they lack 
the ability to test-for-zero. In the rest of this section, we outline the reduction, 
thus demonstrating undecidability of bisimilarity for MSA. 

The idea is to construct an MSA which “weakly” models a given Minsky 
machine, and then take two slightly modified copies. The modifications guarantee 
that whenever Alice “cheats” (i.e., makes a “zero” move while the counter of 
the modelled Minsky machine is positive). Bob can punish her by reaching a 
pair of equal (and hence trivially bisimilar) vertices. 

To the Minsky machine M as presented above, we define the (description of 
the) MSA graph as follows. 

— The set of labels is A = {i,d,z,h }. 

— The set of control states is Q = {po,pi, ■ . .,p„_i,p„, qo,qi, ■ ■ .,g„_i,gr„}. 

— The set of variables is P = { Z, 0, 1 }. 

— For each machine instruction 

■ — c/jT 1, goto Xj 

we have the productions 

PiZ pj(blZ) and q£Z qj(blZ). 

— For each machine instruction 

: if Ch = 0 then goto Xj 
else Ch := 0^—1; goto Xfc 

we have the productions 

Peb-^Pk piZ ^ pjZ pib ^ qjb 

qib qk qiZ A qjZ q^b pjb 

— We have the one final production 

ry h 

PnZ Pn 

The MSA graph reflects the (computation of the) machine M in the following 
sense. 

— When M is at the command labelled Xi with the values x and y in its 
counters, this is reflected by the “p- vertex” p^(0“^|l^|Z) as well as the “g- 
vertex” q£{Q^\\y\Z) (where 0“^ represents 0|0| . . . |0 with x occurrences of 0). 

— If this command is an increment, then the associated p-vertex has only one 
outgoing edge, labelled by i (for “increment”), leading to the p- vertex re- 
flecting the state of M upon executing the increment command; similarly 
for the associated g-vertex. 

— If this command is a successful test for zero (that is, the relevant counter 
has the value 0), then the associated p- vertex (as well as the associated q- 
vertex) has only one outgoing edge, labelled by 2 (for “zero”), leading to the 
p-vertex (q-vertex) reflecting the state of M upon executing the respective 
command. 
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— If this command is a decrement (that is, a failed test for zero), then the asso- 
ciated p- vertex (as well as the associated g- vertex) has three outgoing edges, 
exactly one of which is labelled d (for “decrement” ) which again leads to the 
p-vertex (g-vertex) reflecting the state of M upon executing the command. 

— In this last instance, the additional two outgoing edges, both labelled by z, 
reflect the weakness of MSA (or, more generally, Petri nets) in their inability 
to test for zero (a weakness which works in their favour with respect to several 
important positive decidability results such as the reachability problem Q) . 
One of the two edges represents an “honest cheating” , and arises from the 
rule p(,Z pjZ {qiZ qjZ), while the other edge represents “knowingly 
cheating”, and arises from the rule p^b qjb {qgb Pjb)', in this final case, 
the edge leads to the domain of the other copy weakly modelling M. 

Fact 11. pqZ qoZ iff the Minsky machine M does not halt. 

To see this, we note that if M halts, then a winning strategy for Alice in the 
bisimulation game would be to mimic the behaviour of M in either of the two 
copies (in p- vertices or g- vertices) . Bob’s only option in response would be to 
do the same in the other copy. Upon termination, the pair of vertices reached 
in the game will be Pn{0^\l^\Z) and qn{0^\l^\Z) for some values x and y. Alice 
may then choose the edge Pn{0^\l'^\Z) p„(0’’’|l^) which cannot be matched 

by Bob. Hence poZ and qoZ are not bisimilar. 

On the other hand, if M fails to halt, then a winning strategy for Bob 
would be to mimic Alice’s moves for as long as Alice mimics M, and to cheat 
knowingly or honestly, respectively, in the instance that Alice cheats honestly 
or knowingly, respectively, so as to arrive at the situation where the two vertices 
are identical; from here Bob can copy every move of Alice verbatim. Hence pqZ 
and qoZ are bisimilar. 

The above MSA graph can be made normed (in the same sense as for PDA) 
by adding a new label e along with the following productions (one for each 
^ = 0, 1, . . . , n and each X = Z,0, 1). 

PiX pe piX qi qiX qt qiX pt 

This guarantees that every vertex has an outgoing path to some vertex re, and 
continues to allow Bob to produce a pair of identical vertices if Alice chooses 
one of these non-M-mimicking edges. The same argument can then be made to 
show that PqZ and q^Z are bisimilar exactly when the Minsky machine M does 
not halt. We thus arrive at our result. 

Fact 12. Bisimilarity is undecidable over the class of normed MSA graphs. 



4 Additional Remarks 

The undecidability proof in the previous section stems from the proof for la- 
belled Petri nets given by Jancar which was adapted for MSA by Moller ^3 
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(there referred to as PPDA, parallel pushdown automata). We thus have unde- 
cidability of bisimulation equivalence over a very restricted class of Petri nets: 
those with only two unbounded places and a minimal degree of nondeterminism. 
Decidability results for various subcases have been obtained in 

The study of the decidability of bisimilarity over various classes of graphs 
became a popular topic in concurrency theory with the appearance of the first, 
then-surprising, proof of the decidability result for normed BPA by Baeten, 
Bergstra, Klop y. Since then there has been a great deal of research on the 
topic, and we have only touched on a fragment of it in this tutorial paper. In 
particular, we have not discussed weak bisimilarity here, which seems much less 
amenable for obtaining decidability results. (Some partial results are obtained 
in 13). For further references in the area, we refer to the survey paper 33- 
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Abstract. This paper discusses the use of formal methods in testing 
of concurrent systems. It is argued that formal methods and testing 
can be mutually profitable and useful. A framework for testing based 
on formal specihcations is presented. This framework is elaborated for 
labelled transition systems, providing formal definitions of conformance, 
test execution and test derivation. A test derivation algorithm is given 
and its tool implementation is briefly discussed. 



1 Introduction 

During the last decades much theoretical research in computing science has been 
devoted to formal methods. This research has resulted in many formal languages 
and in verification techniques, supported by prototype tools, to verify properties 
of high-level, formal system descriptions. Although these methods are based on 
sound mathematical theories, there are not many systems developed nowadays 
for which correctness is completely formally verified using these methods. 

On the other hand, the current practice of checking correctness of computing 
systems is based on a more informal and pragmatic approach. Testing is usually 
the predominant technique, where an implementation is subjected to a number 
of tests which have been obtained in an ad-hoc or heuristic manner. A formal, 
underlying theory for testing is mostly lacking. 

The combination of testing and formal methods is not very often made. 
Sometimes it is claimed that formally verifying computer programs would make 
testing superfluous, and that, from a formal point of view, testing is inferior as a 
way of assessing correctness. Also, some people cannot imagine how the practical, 
operational, and ‘dirty-hands’ approach of testing could be combined with the 
mathematical and ‘clean’ way of verification using formal methods. Moreover, 
the classical biases against the use of formal verification methods, such as that 
formal methods are not practical, that they are not applicable to any real system 
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but very simple toy systems, and that they require a profound mathematical 
training, do not help in making test engineers adopt formal methods. 

Fortunately, views are changing. Academic research on testing is increasing, 
and even the most formal verifyer admits that a formally verified system should 
still be tested. (Because: Who verified the compiler? And the operating system? 
And who verified the verifyer?). On the other hand, formal methods are used 
in more and more software projects, in particular for safety critical systems, 
and also the view that a formal specification can be beneficial during testing is 
getting more support. 

The aim of this paper is to strengthen this process of changing views. To that 
purpose, this paper discusses how testing can be performed based on formal spec- 
ifications, and how advantage can be obtained in terms of precision, clarity and 
consistency of the testing process by adopting this formal approach. Also, it will 
be shown how the use of formal methods helps automating the testing process, in 
particular the automated derivation of tests from formal specifications. The dis- 
cussion about testing and formal methods will support the following claims: (i) 
formal methods and testing are a perfect couple; (ii) testing and formal verifica- 
tion are both necessary; (in) a formally verified specification is a good starting 
point for testing; (iv) formal testing is a good starting point for introducing 
formal methods in software development. 

The structure of this paper is as follows. In the next section we start with 
some informal discussion on classical software testing, see, e.g., Section | 

then discusses a formal, generic framework for testing with formal methods. 
Section^Jnakes this framework more specific by instantiating it for the formalism 
of labelled transition systems. Section H discusses tool support and a concrete 
application of testing a simple protocol based on the labelled transition system 
testing theory. Finally, section ^ comes back to the claims made above and 
discusses some open issues. 

The intention of this paper is to give an idea about how testing and formal 
methods can be mutually beneficial. A complete overview of formal approaches 
to testing is outside the scope of this paper. Other approaches exist, e.g., Q 
for Abstract Data Type testing, and certainly other instantiations of the generic 
framework of section possible, e.g., with Finite-State Machines (Mealy 

machines) Also it is not the intention to give a complete and precise 

overview of testing for labelled transition systems. However, the branch of testing 
theory, which is elaborated in section^ is shown to be a realistic and practically 
applicable approach in section^ Moreover, many pointers to the literature are 
provided which allow to explore alternatives and to study further details. 

2 Software Testing 

What Is Testing? Testing is an operational way to check the correctness of a 
system implementation by means of experimenting with it. Tests are applied 
to the implementation under test in a controlled environment, and, based on 
observations made during the execution of the tests, a verdict about the correct 
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functioning of the implementation is given. The correctness criterion that is to 
be tested is given by the system specification; the specification is the basis for 
testing. 

Testing is an important technique to increase confidence in the quality of a 
computing system. In almost any software development trajectory some form of 
testing is included. 

Sorts of Testing. There are many different kinds of testing. In the first place, 
different aspects of system behaviour can be tested: Does the system have the 
intended functionality and does it comply with its functional specification (func- 
tional tests or conformance tests)? Does the system work as fast as required 
(performance tests)? How does the system react if its environment shows un- 
expected or strange behaviour (robustness tests)? Can the system cope with 
heavy loads (stress testing)? How long can we rely on the correct functioning of 
the system (reliability tests)? What is the availability of the system (availability 
tests)? 

Moreover, testing can be applied at different levels of abstraction and for 
different levels of (sub-)systems: individual functions, modules, combinations of 
modules, subsystems and complete systems can all be tested. 

Another distinction can be made according to the parties or persons perform- 
ing (or responsible for) testing. In this dimension there are, for example, system 
developer tests, factory acceptance tests, user acceptance tests, operational ac- 
ceptance tests, and third party (independent) tests, e.g., for certification. 

A very common distinction is the one between black box and white box 
testing. In black box testing, or functional testing, only the outside of the system 
under test is known to the tester. In white box testing, also the internal structure 
of the system is known and this knowledge can be used by the tester. Naturally, 
the distinction between black and white box testing leads to many gradations of 
grey box testing, e.g., when the module structure of a system is known, but not 
the code of each module. 

In this paper, we concentrate on black box, functional testing, also called 
conformance testing. We do not care about the level of (sub-)systems or who is 
performing the testing. Key points are that there is a system implementation 
exhibiting behaviour and that there is a specification. The specification is a pre- 
scription of what the system should do; the goal of testing is to check, by means 
of testing, whether the implemented system indeed satisfies this prescription. 
In particular, the rest of this paper will consider a conformance testing process 
based on specifications which are given in a formal notation. 

Confusion of Tongues. Sometimes the term testing is also used for performing 
static checks on the program code, e.g., checking declarations of variables using 
a static checker, or code inspections. This kind of testing is then denoted by 
static testing. However, we restrict to dynamic testing, i.e., testing consisting of 
really executing the implemented system, as described above. Another broader 
use of the term testing is to include monitoring. Monitoring is then called pas- 
sive testing as opposed to active testing as described above, where the tester 
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has active control over the test environment, and a set of predefined tests is 
executed. A third extension of the term testing, sometimes made, is to include 
all checking activities in the whole software development trajectory, e.g., reviews 
and inspections. 

The Testing Process. In the conformance testing process there are two main 
phases: test generation and test execution. Test generation involves analysis of 
the specification and determination of which functionalities will be tested, de- 
termining how these can be tested, and developing and specifying test scripts. 
Test execution involves the development of a test environment in which the test 
scripts can be executed, the actual execution of the test scripts and analysis of 
the execution results and the assignment of a verdict about the well-functioning 
of the implementation under test. 

Other important activities in the testing process are test management and 
test maintenance. In particular, test maintenance is often underestimated. It 
involves recording and documenting the test scripts, test environments, used test 
tools, relating test sets to versions of specifications and implementations, with 
the aim of making the testing process repeatable and reusable, in particular for 
regression testing. Regression testing is the re-testing of unmodified functionality 
in case of a modification of the system. It is one of the most expensive (and thus 
often deliberately neglected) aspects of testing. 

Test Automation. Testing is a difficult, expensive, time-consuming and labour- 
intensive process. Moreover, testing is (should be) repeated each time a system 
is modified. Hence, testing would be an ideal candidate for automation. 

The main class of commercially available test tools are record & playback tools 
(capture and replay tools) which support the test execution process. Record & 
playback tools are able to record user actions at a (graphical) user interface, 
such as keyboard and mouse actions, in order to replay these actions at a later 
point in time. In this way a recorded test can be replayed several times, which 
may be advantageous during regression testing. 

For the test generation phase there are tools which are able to generate large 
amounts of input test data. However, these tools are mainly used for performance 
and stress tests and hence, are outside the scope of this paper. Some tools exist 
that are able to generate a set of tests with the same structure based on a tem- 
plate of a test case by only varying the input parameters in this template. In the 
area of communication protocol testing there exist some (prototype) test tools 
that can (semi-) automatically generate test cases for conformance testing from 
a formal specification. Some of these tools will be briefly described in section H 

To relate test cases to the requirements that they test, standard requirements 
management tools can be used, but such tools are not specific for testing. The 
main functionality of such tools is to relate high level system requirements to 
(lower level) sub-system requirements and to relate requirements to test cases. 

A kind of test tools which are used during test execution, but which (should) 
infiuence test generation, are code coverage tools. Code coverage tools calculate 
the percentage of the system code executed during test execution according 
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to some criterion, e.g., “all paths”, ’’all statements”, or “all definition-usage 
combinations” of variables. They give an indication about the completeness of 
a set of tests. Note that this notion of completeness refers to the implemented 
code (white box testing); it does not say anything about the extent to which the 
requirements or the specification were covered. 

3 Formal Framework for Testing 

In sectionjthe software testing process was described from a traditional per- 
spective. Conformance testing was introduced as a kind of testing where the 
behaviour of a system is systematically tested with respect to the system’s spec- 
ification of functional behaviour. 

In this section a framework is presented for the use of formal methods in 
conformance testing The framework can be used for testing of an im- 

plementation with respect to a formal specification of its functional behaviour. 
It introduces, at a high level of abstraction, the concepts used in a formal con- 
formance testing process and it defines a structure which allows to reason about 
testing in a formal way. The most important part of this is to link the infor- 
mal world of implementations, tests and experiments with the formal world of 
specifications and models. To this extent the framework introduces the concepts 
of conformance, i.e., functional correctness, testing, sound and exhaustive test 
suites, and test derivation. All these concepts are introduced at a generic level; 
sections H^^iidHwill show how to instantiate and apply these concepts. 

Conformance. For talking about conformance we need implementations and 
specifications. The specifications are formal, so a universe of formal specifications 
denoted SPECS is assumed. Implementations are the systems that we are going 
to test, henceforth they will be called lUT, implementation under test, and the 
class of all iut’s is denoted by IMPS . So, conformance could be introduced by 
having a relation conforms-to C IMPS x SPECS with lUT conforms-to s 
expressing that lUT is a correct implementation of specification s. 

However, unlike specifications, implementations under test are real, physi- 
cal objects, such as pieces of hardware or software; they are treated as black 
boxes exhibiting behaviour and interacting with their environment, but not 
amenable to formal reasoning. This makes it difficult to give a formal defini- 
tion of conforms-to which should be our aim in a formal testing framework. 
In order to reason formally about implementations, we make the assumption 
that any real implementation lUT G IMPS can be modelled by a formal object 
iiuT G MODS, where MODS is referred to as the universe of models. This as- 
sumption is referred to as the test hypothesis Q. Note that the test hypothesis 
only assumes that a model iiuT exists, but not that it is known a priori. 

Thus the test hypothesis allows to reason about implementations as if they 
were formal objects, and, consequently, to express conformance by a formal re- 
lation between models of implementations and specifications. Such a relation 
is called an implementation relation imp C MODS x SPECS Imple- 

mentation lUT G IMPS is said to be correct with respect to s G SPECS, 
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lUT conforms-to s, if and only if the model %ut G MODS of lUT is imp-related 
to s: «iuT imp s. 

Observation and Testing. The behaviour of an implementation under test is in- 
vestigated by performing experiments on the implementation and observing the 
reactions that the implementation produces to these experiments. The specifi- 
cation of such an experiment is called a test case, and the process of applying a 
test to an implementation under test is called test execution. 

Let test cases be formally expressed as elements of a domain TESTS. Then 
test execution requires an operational procedure to execute and apply a test 
case t G TESTS to an implementation under test lUT G IMPS . This operational 
procedure is denoted by EXEC(t, iut). During test execution a number of obser- 
vations will be made, e.g., occurring events will be logged, or the response of 
the implementation to a particular stimulus will be recorded. Let (the formal 
interpretation of) these observations be given in a domain of observations OBS, 
then test execution EXEc(t, iut) will lead to a subset of OBS. Note that exec 
is not a formal concept; it captures the action of “pushing the button” to let t 
run with IUT. Also note that EXEC(t, iut) may involve multiple runs of t and 
IUT, e.g., in case nondeterminism is involved. 

Again, since EXEC(t, iut) corresponds to the physical execution of a test case, 
we have to model this process of test execution in our formal domain to allow 
formal reasoning about it. This is done by introducing an observation function 
obs : TESTS x MODS V{OBS). So, obs{t, Jjut) formally models the real test 
execution EXEC(t, iut). 

In the context of an observational framework consisting of TESTS, OBS, 
EXEC and obs, it can now be stated more precisely what is meant by the test 
hypothesis: 

ViUT e IMPS dziuT G MODS Vt G TESTS : EXEC(t, iut) = obs{t, inj^) (1) 

This could be paraphrased as follows: for all real implementations that we are 
testing, it is assumed that there is a model, such that if we would put the iut 
and the model in black boxes and would perform all possible experiments defined 
in TESTS, then we would not be able to distinguish between the real iut and 
the model. Actually, this notion of testing is analogous to the ideas underlying 
testing equivalences which will be elaborated for transition systems in 

section H 

Usually, we like to interpret observations of test execution in terms of being 
right or wrong. So we introduce a family of verdict functions vt '. V{OBS) 
{fail, pass} which allows to introduce the following abbreviation: 

IUT passes f <^=^def (exec ( t, iut)) = pass (2) 

This is easily extended to a test suite T C TESTS: iut passes T ^ \/t G T : 
IUT passes t. Moreover, an implementation fails test suite T if it does not pass: 
IUT fails T IUT passes T. 
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Conformance Testing. Conformance testing involves assessing, by means of test- 
ing, whether an implementation conforms, with respect to implementation re- 
lation imp, to its specification. Hence, the notions of conformance, expressed 
by imp, and of test execution, expressed by exec, have to be linked in such a 
way that from test execution an indication about conformance is obtained. So, 
ideally, we would like to have a test suite Tg such that for a given specification s 

lUT conforms-to s lUT passes Tg (3) 

A test suite with this property is called complete; it can distinguish exactly be- 
tween all conforming and non-conforming implementations. Unfortunately, this 
is a very strong requirement for practical testing: complete test suites are usually 
infinite, and consequently not practically executable. Hence, usually a weaker re- 
quirement on test suites is posed: they should be sound, which means that all 
correct implementations, and possibly some incorrect implementations, will pass 
them; or, in other words, any detected erroneous implementation is indeed non- 
conforming, but not the other way around. Soundness corresponds to the left- 
to-right implication in Q. The right-to-left implication is called exhaustiveness; 
it means that all non-conforming implementations will be detected. 

To show soundness (or exhaustiveness) for a particular test suite we have to 
use the formal models of implementations and test execution: 

\/i G MODS : z imp s \/t G T : vt{obs{t,i)) — pass (4) 

Once Q has been shown it follows that 
lUT passes T 

iff (* definition passes T *) 

\/t G T : lUT passes t 
iff (* definition passes t *) 

yt gT : vt{EXEC{t, iut)) = pass 
iff (* test hypothesis *) 

yt gT : vt{ohs{t, «iut)) = pass 
iff (* completeness on models applied to Ziut *) 
iiuT imp s 

iff (* definition of conformance *) 

IUT conforms-to s 

So, if the completeness property has been proved on the level of models and if 
there is ground to assume that the test hypothesis holds, then conformance of 
an implementation with respect to its specification can be decided by means of 
a testing procedure. 

Now, of course, an important activity is to devise algorithms which produce 
sound and/or complete test suites from a specification given an implementation 
relation. This activity is known as test derivation. It can be seen as a function 
derimp : SPECS V{TESTS). Following the requirement on soundness of 
test suites, such a function should only produce sound test suites for any spec- 
ification s G SPECS, so the test suite derimp(s) should satisfy the left-to-right 
implication of Q . 
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Extensions. Some extensions to and refinements of the formal testing frame- 
work can be made. Two of them are mentioned here. The first one concerns the 
test architecture A test architecture defines the environment in which 

an implementation is tested. It gives an abstract view of how the tester com- 
municates with the lUT. Usually, an lUT is embedded in a test context, which 
is there when the lUT is tested, but which is not the object of testing. In order 
to formally reason about testing in context, the test context must be formally 
modelled. Sometimes, the term SUT - system under test - is then used to denote 
the implementation with its test context, whereas lUT is used to denote the bare 
implementation without its context. 

The second extension is the introduction of coverage within the formal frame- 
work. The coverage of a test suite can be introduced by assigning to each erro- 
neous implementation that is detected by a test suite a value and subsequently 
integrating all values. This can be combined with a stochastic view on erroneous 
implementations and a probabilistic view on test execution 

4 Labelled Transition Systems 

One of the formalisms studied in the realm of conformance testing is that of 
labelled transition systems. A labelled transition system is a structure consisting 
of states with transitions, labelled with actions, between them. The formalism of 
labelled transition systems can be used for modelling the behaviour of processes, 
such as specifications, implementations and tests, and it serves as a semantical 
model for various formal languages, e.g., AGP Q, CCS and CSP 
Also (most parts of) the semantics of standardized languages like LOTOS^^ 
and SDL and of the modelling language Promela can be expressed in 
labelled transition systems. We assume the basic definitions of labelled transition 
systems to be familiar; they can be found in many of the given references, e.g., in 
^3 the definitions are given in the same notation as they are used here (however, 
we will not consider internal actions r in this section) . 

This section instantiates the generic, formal testing framework of section | 
with labelled transition systems. This means that the formal domains SPECS, 
MODS and TESTS will now consist of (some kind of) transition systems. In 
particular, it will be shown how the ioco-testing theory based on inputs, outputs 
and repetitive quiescence fits within the testing framework 

Traditionally, for labelled transition systems the term testing theory does not 
refer to conformance testing. Instead of starting with a specification to find a 
test suite that characterizes the class of its conforming implementations, these 
testing theories aim at defining implementation relations, given a class of tests: 
a transition system p is equivalent to a system q if any test case in the class leads 
to the same observations with p as with q (or more generally, p relates to q if 
for all possible tests, the observations made of p are related in some sense to the 
observations made of q). In terms of an observational framework as introduced 
in section 5 an implementation relation imp is defined by 

def Vt S TESTS'. obs{t,p) 0 obs{t,q) 



p imp q 



(5) 
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Many different relations can be defined by variations of the class of tests TESTS, 
the way observations obs are obtained, and the required relation between obser- 
vations 0 

Once an implementation relation has been defined, conformance testing in- 
volves finding a test derivation algorithm such that test suites can be derived 
from a specification which are sound, and, in some sense, minimal. Confor- 
mance testing for labelled transition systems has been studied especially in the 
context of testing communication protocols with the language LOTOS, e.g.. 



For the discussion of the ioco-testing theory both kinds of testing theory 
are used: firstly, the implementation relation ioco is defined following the prin- 
ciple of secondly, test derivation from specifications for ioco is investigated 
resulting in a sound and exhaustive test derivation algorithm. 

In the remainder of this section we will successively instantiate all the in- 
gredients of the formal testing framework of section H for ioco-based testing. 
These include SPECS, IMPS, MODS, imp, TESTS, OBS, vt, exec, ohs and 
deri^p. The description of the different concepts will be done semi-formally; full 
technical details can be found in The next section, section Q will briefly 
discuss the use of this ioco-testing theory for building of software tools and for 
testing some simple communication protocol implementations based on LOTOS 
and Promela specifications. 



Specifications. For specifications we allow to use labelled transition systems, or 
any formal language with a labelled transition system semantics. We require 
that the actions of the transition system are known and can be partitioned into 
inputs and outputs, denoted by Lj and Lu, respectively. However, we do not 
impose any restrictions on inputs or outputs. For CTS{L) the class of labelled 
transition systems over action alphabet L, SPECS := CTS{Lj U Lu). 

Implementations and their Models. We assume implementations to be modelled 
by a special class of transition systems called input-output transition systems, 
which, inspired by Input/Output Automata (lOA) have the property that 
any input action is always enabled in any state. For TOTS{Lj, Lu) the class of 
input-output transition systems with inputs in Lj and outputs in Lu, MODS := 
TOTS{Li,Lu). 

For IMPS we allow any computer system or program which can be modelled 
as an input-output transition system, i.e., a system which has distinct inputs 
and outputs, where inputs can be mapped 1:1 on Lj and outputs on Lu, and 
where inputs can always occur. 



Implementation Relation. The implementation relation is instantiated with the 
relation ioco C TOTS{Lj , Lu) x CTS{Lj U Lu), which is briefly discussed here. 

The relation ioco inherits many ideas from other relations defined in the lit- 
erature. Its roots are in the theory of testing equivalence and preorders ^3^3^ 
where testing preorder on transitions systems is defined following Q using tran- 
sition systems as tests, traces and completed traces of the synchronized parallel 
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composition of t and p as observations, and inclusion of observations as compar- 
ison criterion. Three developments, which build on these testing preorders, are 
of importance for ioco. 

Firstly, a relation with more discriminating power than testing preorder was 
defined in by having more powerful testers which can detect not only the 
occurrence of actions but also the absence of actions, i.e., refusals. We follow 
in modelling the observation of a refusal by adding a special label 6 ^ L 
to observers: TESTS = CTS{L U {0}). While observing a process, a transition 
labelled with 6 can only occur if no other transition is possible. In this way the 
observer knows that the process under observation cannot perform the other 
actions it offers. This is modelled using a parallel operator ] | which is the usual 
synchronized parallel composition operator extended with the following inference 
rule to cope with the refusal-detecting features of 6*: 

u-^u', ya€L: u — ^ or p— ^ F u\\p-^u'~\\p 



The implementation relation defined in this way is called refusal preorder. 

A second development was the definition of a weaker implementation rela- 
tion conf that is strongly related to testing preorder It is a modification 
of testing preorder by restricting all observations to only those traces that are 
contained in the specification s. This restriction is in particular used in confor- 
mance testing. It makes testing a lot easier: only traces of the specification have 
to be considered, not the huge complement of this set, i.e., the traces not explic- 
itly specified. In other words, conf requires that an implementation does what 
it should do, not that it does not do what it is not allowed to do. Several test 
generation algorithms have been developed for the relation conf , among 

which the canonical tester theory corresponding tools have been implemented 
BB, and extensions have been studied 

The third development of importance for ioco was the application of the 
principles of testing preorder to Input/Output Automata in Q. It was shown 
that testing preorder coincides with quiescent trace preorder introduced in Q 
when requiring that inputs are always enabled. 

The relation ioco inherits from all these developments. The definition of ioco 
follows the principles of testing preorder Q with tests that can also detect the 
refusal of actions as in refusal preorder. Outputs and always enabled inputs are 
distinguished analogous to lOA, and, moreover, a restriction is made to only the 
traces of the specification as in conf. The resulting relation ioco can be defined 
semi- formally as follows. 



Let i G TOTS{L[^ Lu), s G CTS{Lj U Ljj) then 
i ioco s <J=^def ya G Straces{s) : oitf( i after cr ) C oitf( s after cr ) 

where 

— p after a is the set of states in which transition system p can be after having 
executed the trace a. 







56 



Jan Tretmans 



— out(p after a) is the set of output actions which may occur in some state 
of p after a . Additionally, the special action S, indicating quiescence, may 
occur if there is a quiescent state in p after a . 

— A state p is quiescent, denoted by p-^p, if no output action can occur: 
Wx G Lu ■ p— ^ • 

— Straces(s) are the suspension traces of specification s, i.e., the traces in which 
the special action 6 may occur beside normal input and output actions. 





Fig. 1. (Non-)ioco-related input-output transition systems. 



The relation ioco is chosen as implementation relation in our framework: 
imp := ioco. Informally, an implementation i is ioco-correct with respect to 
the specification s if z can never produce an output which could not have been 
produced by s in the same situation, i.e., after the same suspension trace. More- 
over, i may only be quiescent, i.e., produce no output at all, if s can do so. 

Example 1. Figurejgives two input-output transition systems with Lj = { ?but] 

and Ljj = {!liq, !choc\ and their ioco-relation. 

ri io9io T 2 since out{ ri after ?but-6- ?but) = {!liq, Ichoc}, 

while out{r 2 after ?but-6-?but) = {Ichoc}. 

For more details about the relation ioco, argumentation for its use, and for 
more generic definitions we refer to New developments have led to a vari- 
ant of ioco, called mioco, were explicit communication channels for actions are 
distinguished. Moreover, this mioco-theory allows to include all testing-based 
implementation relations, including refusal preorder, testing preorder, trace pre- 
order, quiescent trace preorder and different variants of ioco and mioco, in a 
single lattice 

Tests. Also TESTS is instantiated with transition systems, but this time we 
add an extra label 6, as in Q, to model the detection of refusals, in particular 
the detection of the refusal of all outputs, i.e., quiescence. Moreover, we restrict 
tests to deterministic transition systems with finite behaviour, so that any test 
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execution is always finite and ends in a terminal state of the test case. We will 
denote these terminal states as either pass or fail. Finally, we require that for 
each non-terminal state s of a test case either init{s) = {a} for some a G Lj, or 
init{s) = Ljj U {6*}; is the set of initial actions of t: = {a|t-^}. 

So, the behaviour of a test case is described by a (finite) tree where in each 
state either one specific input action can occur, or all outputs together with 
the special action 9. The special label 9 ^ LU {5} will be used in a test case 
to detect quiescent states of an implementation, so it can be thought of as the 
communicating counterpart of a 5-action. It will usually be implemented by a 
kind of time-out. 

Example 2. FigureHgives an example of a test case t. 




Fig. 2. A test case t 



fail 

fail 

pass 



Observations. Observations are logs of actions, i.e., traces over LU {9}: OBS := 
{LU{9}r. 

Observation Function. The observation function obs is defined by the synchro- 
nized parallel composition of t and i ending in a final state of t: 

obs{t,i) =def { cr € (T U 0)* I t]| i', = pass or = fail } 



Example 3. For ri 



(figure J there are three observations with t of figure^ 



tMn 

tMn 

tMn 



fbut-Hiq 



> pass] I r] 



fbut e- fbut-Hiq 



> fail] I 



?but.0. ?but- tchoc-6 



r 



n 

1 



pass] I r'l' 
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where r'^, r", and r'(' are the leaves of ri from left to right. 



Verdicts. The verdict assigned to a set of observations O C OBS is pass if all 
traces in O lead to the terminal state pass of the test case: 



— def 



J pass if Vcr G O : t pass 
[ fail otherwise 



Example 4- Continuing exampleHwe have that, since the terminal state of t for 
the second run is fail, the verdict for ri is fail. Similarly, it can be checked that 
the verdict for r 2 is pass. 

Test Execution. Test execution EXEC(t, iut) should be correctly implemented, 

i.e., it should be implemented such that it correctly reflects the semantics as 
expressed by ohs{t, Ziut) and establishes the test hypothesis. 

Test Derivation. The following algorithm specifies the derivation of test cases 
from a labelled transition system specification for the implementation relation 
loco. The test cases are denoted using a process-algebraic notation: denotes 

action prefix; “J-” denotes choice; “if” denotes generalized choice. Moreover, for 
S a set of states, S after a denotes the set of states which can be reached from 
any state in S via action a. 

Algorithm - loco Test Derivation: Let s be a specification with initial state sq. 
Let 5 be a non-empty set of states, with initially S = {sq}. Then a test case 
t is obtained from 5 by a finite number of recursive applications of one of the 
following three nondeterministic choices: 

1. (* terminate the test case *) 
t pass 

2. (* give a next input to the implementation *) 

t := a ; , if S after a 0 

where a G L[, and t' is obtained by recursively applying the algorithm for 
S' = S after a . 

3. (* check the next output of the implementation *) 

t ■.= E { X ] fail I X G Lu, x ^ out{S) } 

+ E \e ] fail I (5 ^ out{S) } 

+ E { X ] tx \ X G Lu, X G out{S) } 

+ E { 6 ■, tg \ 5 G out{S) } 

where tx and tg are obtained by recursively applying the algorithm for 
S after x and S after 5 , respectively. 

Given a specification s G CTS{Lj U Lu), this algorithm was proved in 
to produce only sound test cases, i.e., test cases which never produce fail while 
testing an ioco-conforming implementation. Formally, let der be any function 
satisfying the (nondeterministic) algorithm, then the following holds 

Vi G XOTS{Li, Lu) ■ i ioco s => Vt G der{s) : vt{ohs{t, i)) = pass 
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Moreover, it was shown in that any non-conforming implementation can 
always be detected by a test case generated with this algorithm, i.e., let Tg be 
the set of all test cases which can be generated by the algorithm from s, then 

Vi G IOTS{L:, Lu) : i ioco s <;= \/t G Tg : vt{obs(t, i)) = pass 



Example 5 . Using the ioco-test derivation algorithm the test case t of figure | 
can be derived from specification V2 in figure ^ This is consistent with fig- 
ure J and example 5 ri io9lo r2, V2 ioco V2 (ioco is reflexive), and in- 
deed i't{obs{t,ri)) = fail, and vt{obs{t,r2)) = pass. So, test case t can 
be used to detect that ri is not ioco-correct with respect to r2- 

5 Tools and an Application 

The algorithm for ioco-test derivation has a wider applicability than candy 
machines. Different tools have been built which implement, more or less strictly, 
this algorithm. These include Tveda ^3^3, TGV 33 TorX Q. 

Tveda is a tool which is able to generate test cases in TTCN ^3 P^n't 3] 
from single-process SDL specifications. Actually, it is interesting to note that 
the test generation algorithm of Tveda was not based on the algorithm for 
ioco-test derivation but on the intuition and heuristics of experienced test case 
developers at France Telecom CNET. Only careful analysis afterwards showed 
that this algorithm generates test cases for an implementation relation which 
was called “i?i” in ^3 and which is almost the same as ioco. 

The tool TGV generates tests in TTGN from LOTOS or SDL specifications. 
It implements a test derivation algorithm for ioco with an unfair extension 
for finite-state divergences. Moreover, it allows test purposes to be specified by 
means of automata, which makes it possible to identify the parts of a specification 
which are interesting from a testing point of view. 

Whereas Tveda and TGV only support the test derivation process by deriv- 
ing test suites and expressing them in TTGN, the tool TorX combines ioco-test 
derivation and test execution in an integrated manner. This approach, where test 
derivation and test execution occur simultaneously, is called on-the-fly testing. 
Instead of deriving a complete test case, the test derivation process only derives 
the next test event from the specification and this test event is immediately 
executed. While executing a test case, only the necessary part of the test case 
is considered: the test case is derived lazily (cf. lazy evaluation of functional 
languages). This can reduce the effort needed for deriving a test case, see also 

TorX is currently able to derive test cases from LOTOS and Promela 
specifications, but since its implementation uses the Open/CjESAR interface 
^3 for traversing through a labelled transition system, the tool can be easily 
extended to any formalism with transition system semantics for which there is 
an Open/CjESAR interface implementation available. 
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A simple experiment was conducted to show the viability and the practical 
applicability of the ioco testing theory and the tool TorX For this ex- 
periment a simple protocol, the Conference Protocol, was considered The 
Conference Protocol resembles a “chatbox” . It offers to users the possibility to 
join a group, to chat with the members of the group, and to leave the group. It 
is implemented on top of the UDP protocol from the TCP/IP protocol suite. 

Specifications in LOTOS and in Promela were developed for the Conference 
Protocol. An implementation in the C programming language was developed, 
too. From this implementation 27 (erroneous) mutants were derived. Moreover, 
for benchmarking, an SDL specification was developed from which 13 TTCN 
test cases were generated using the tool Autolink which is part of the SDL 
tool set Tau 

The 28 different implementations were tested with respect to the LOTOS 
and Promela specifications using TorX with the on-the-fly approach. All 25 
ioco-incorrect mutants could be detected, based on the LOTOS as well as on 
the Promela specification. The length of the test run, i.e., the number of test 
events before the defect was detected, varied between 2 and 498 test events. 
Two mutants, although differing from the specification, were ioco-correct, and 
indeed no errors were found in these implementations. (These implementations 
differed in traces not explicitly contained in the specification, i.e., traces a, with 
a ^ Straces{s), cf. the definition of ioco in section^. 

While testing the ioco-correct implementations based on the LOTOS specifi- 
cation, we were able to execute test runs consisting of 28,000 test events without 
finding a discrepancy between implementation and specification. Then the infa- 
mous message “out of memory” occurred while consuming 1.4 Gb. of memory. 
Since our Promela implementation in TorX inherits the state-space explo- 
ration algorithm from the very efficient model checker Spin much longer 
test runs could be made with Promela: 450,000 test events using 400 Mb. 

Using the 13 SDL-derived test cases, 5 erroneous mutants slipped through the 
testing procedure: they obtained a verdict pass. Although this experiment was 
certainly not significant enough for a fair comparison between the tool TorX 
and the commercial tool Autolink, we dare conclude that the ioco-based test 
theory as implemented in TorX constitutes a sound, feasible, and practically 
applicable approach for conformance testing based on formal methods. 



6 Concluding Remarks 

We have shown in this paper how formal methods can be used in conformance 
testing. It can be concluded that the use of formal methods in testing has many 
advantages. These advantages include 

— a formal, thus more precise and less ambiguous specification of what should 
be tested; 

— formal preciseness and clarity in the properties that are being tested; 

— formal reasoning about the validity of tests; and 
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— algorithmic generation of test cases, with the potential of automated test 

case derivation. 

The first advantage is already present in the testing process even if the testing 
process itself is not formal. Analysis of practical testing processes shows that 
most of the problems encountered are not due to the testing process itself but 
to unclear, imprecise and ambiguous specifications. Formalizing these specifica- 
tions helps in reducing testing problems even without any formal testing. This 
is also one of the main conclusions of testing in the Bos-project where specifica- 
tions were written in Z and Promela and testing was performed systematically 
based on these formal specifications, but using manual, conventional techniques 
without any formal derivation steps 

The third advantage addresses another practical testing problem, viz. that 
the occurrence of a fail verdict does not always point to an error in the implemen- 
tation. In many cases, sometimes up to 50%, the error is due to an erroneous 
test case. Formal reasoning about conformance and about the validity of test 
cases may help to alleviate this problem. 

The second advantage opens ways to combine verification and testing in a 
systematic and precise way. Some properties of a system may be verified while 
others are tested. 

The fourth advantage has the largest economic implications. By automation 
the testing effort in software projects, which may currently take up to 40% of 
software development costs, may be reduced significantly. And this can be a good 
starting point for the introduction of formal methods in software development: 
most likely, more people will invest in using formal methods if test cases are for 
free once a formal system specification has been developed. 

Formal verification does not make testing superfluous, nor does testing make 
formal verification superfluous. They are complementary techniques for analysis 
and checking of correctness of systems. While verification aims at proving prop- 
erties about systems by formal manipulation on a mathematical model of the 
system, testing is performed by exercising the real, executing implementation 
(or an executable simulation model). Verification can give certainty about sat- 
isfaction of a required property, but this certainty only applies to the model of 
the system: any verification is only as good as the validity of the system model. 
Testing, being based on observing only a small subset of all possible instances of 
system behaviour, can never be complete: testing can only show the presence of 
errors, not their absence. But since testing can be applied to the real implemen- 
tation, it is useful in those cases when a valid and reliable model of the system 
is difficult to build due to complexity, when the complete system is a combina- 
tion of formal parts and parts which cannot be formally modelled (e.g., physical 
devices), when the model is proprietary (e.g., third party testing), or when the 
validity of a constructed model is to be checked with respect to the physical 
implementation. Moreover, testing based on a formal specification only makes 
sense if this specification can be assumed to be valid, i.e., has been sufficiently 
verified. 
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A crucial point both in formal verification and in formal testing is the link 
with the non-formal reality. In verification this occurs when a model of reality is 
built for which informal arguments are given that it is a valid modelling of real- 
ity. Subsequently, reasoning occurs completely in the formal domain under the 
assumption that the formal results will also apply to reality if the model is valid. 
In formal testing the link with reality is established using the test hypothesis. 
Here, a model is assumed to exist in a particular formal domain. It is not nec- 
essary that this model is available (then we could perform formal verification), 
nor that we will ever be able to develop it. Moreover, it is assumed that the way 
of doing experiments on the real system is modelled in a valid way by the formal 
function obs. This incorporates, among others, that test cases are assumed to be 
correctly implemented. Whether in formal testing or in verification, somewhere 
the link to the non-formal reality has to be made. It is important to be aware 
of the assumptions on which this is based, so that results are interpreted in the 
right context and with the appropriate precautions. 

The formal testing framework of sectionfland its instantiation in section^ 
provide a good basis for testing with formal methods. But they also point to 
some open problems. One of the most important ones is the problem of test 
selection. The algorithm for ioco test derivation, and many other similar algo- 
rithms, allow to derive infinitely many sound test cases. But which ones shall be 
selected and executed? Can test suites be compared with respect to their error 
detecting capabilities? Can measures be assigned to test suites expressing their 
quality? Can the quality of an implementation passing a particular test suite 
be quantified? To these questions there are not many usable answers, yet. So- 
lutions can be sought by defining coverage measures, fault models, quantifying 
test hypotheses, etc. 
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Abstract. A Markov decision process is a generalization of a Markov chain in 
which both probabilistic and nondeterministic choice coexist. Given a Markov 
decision process with costs associated with the transitions and a set of target 
states, the stochastic shortest path problem consists in computing the minimum 
expected cost of a control strategy that guarantees to reach the target. In this pa- 
per, we consider the classes of stochastic shortest path problems in which the 
costs are all non-negative, or all non-positive. Previously, these two classes of 
problems could be solved only under the assumption that the policies that mini- 
mize or maximize the expected cost also lead to the target with probability 1 . This 
assumption does not necessarily hold for Markov decision processes that arise 
as model for distributed probabilistic systems. We present efficient methods for 
solving these two classes of problems without relying on additional assumptions. 
The methods are based on algorithms to transform the original problems into 
problems that satisfy the required assumptions. The methods lead to the efficient 
solution of two basic problems in the analysis of the reliability and performance 
of partially-specified systems: the computation of the minimum (or maximum) 
probability of reaching a target set, and the computation of the minimum (or 
maximum) expected time to reach the set. 



1 Introduction 



Markov decision processes are generalizations of Markov chains in which probabilistic 
choice coexists with nondeterministic choice Q. Several models of distributed prob- 
abilistic systems are based either on Markov decision processes ||Q| or on closely 
related formalisms, such as the concurrent Markov chains of^H, the probabilistic au- 
tomata of and the timed probabilistic automata of Several models based 

on process algebras are also closely related to Markov decision processes 
In these proposals, probability enables the modeling of phenomena related to relia- 
bility and performance, while nondeterminism has been used to model concurrency 



|, Inputs imprecise knowledge of the transition probabilities 
general any behavior for which probabilistic information is not known. 



and in 
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A Markov decision process (MDP) consists of a set of states; with each state is 
associated a set of possible actions. At every state, the choice of the next action is non- 
deterministic; once chosen, the action determines the transition probability distribution 
for the successor state. In order to quantify the probabilistic properties of an MDP, the 
concept of policy is introduced | ' ' | ^ related to the schedulers of and to the ad- 
versaries of A policy is a criterion for selecting the actions during a behavior 

of the system; once the policy is fixed, the MDP is reduced to a conventional stochas- 
tic process. A simple way to introduce time in these models is to associate with each 
pair consisting of state and of a related action the time (or the expected time) spent 
at the state when the action is selected One of the basic questions we can 

ask about the timing behavior of such a system is the expected time needed to reach a 
given set of target states from a specified starting state. Being able to answer this ques- 
tion opens the way to the automated verification of systems properties such as expected 
time to failure, expected task completion time, and several others. Since the system 
model includes nondeterminism, the answer to this expected time question consists not 
in a single value, but rather in a range of values comprised between a minimum and a 
maximum, depending on whether the policy in use hastens or delays the reaching of the 
target. This paper is concerned with the question of how to compute these minimum 
and maximum values. 

The problem of computing the maximum and minimum reachability times can be 
reduced to the stochastic shortest path (SSP) problem |P ^ ' | . In the statement of the 
SSP problem, with each state-action pair is associated a real-valued cost; the SSP prob- 
lem consists in computing the minimum expected cost incurred to reach a set of target 
states. Hence, to compute the minimum (resp. maximum) reachability time, it suffices 
fo equate the cost to the time (resp. to the time multiplied by — 1) and to solve the result- 
ing SSP problem. However, previous solutions to the SSP problem rely on assumptions 
that do not necessarily hold for the SSP problems obtained by the above reduction. In 
particular, previous solutions require that the target set can be reached with probabil- 
ity 1 from every state, and that either (a) every policy that does not lead to the target 
with probability 1 yields infinite expected total cost, or (b) the policies that mini mize or 
maximize the expected total cost also lead to the target with probability 1 Under 
either one of these assumptions, the goal of reaching the target can be disregarded in 
the solution of the optimization problem, and the SSP problem can be solved by deter- 
mining the policy that minimizes the total cost. If the starting and target states are part 
of a formal specification, or if the time associated with state-action pairs can be 0, as 
in these assumptions do not hold in general, and new solution methods are 

required. 

The aim of this paper is to present methods for solving the SSP problem that rely on 
the assumptions that the costs are all non-negative, or all non-positive. We call the SSP 
problems that satisfy these assumptions the non-negative and non-positive SSP prob- 
lems. Solving these SSP problems suffices for solving fhe original problem abouf fhe 
maximum and minimum reachability times. Furthermore, we show that the proposed 
solution methods can be applied to the efficient computation of the maximum and min- 
imum probability of reaching a target set of states. 
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The minimum expected cost to reach a set of target states is well defined only if the 
target can be reached with probability 1 . The first step in the solution of the SSP problem 
consists thus in computing the set of states from which the target set can be reached with 
probability 1 . This problem can be solved in polynomial time by a reduction to linear 
programming ' 'i | . In this paper we present a more efficient algorithm, that solves the 
problem in time quadratic in the size of the MDP, and that does not require numerical 
computation. The algorithm, originating fromTH, is related to an algorithm for solving 
two-person reachability games presented in 

Once we have determined the states from which the target set cannot be reached with 
probability 1 , we present two methods for solving the SSP problem on the remaining 
states. First, we show that non-negative and non-positive SSP problems can be solved 
using linear programming over the extended field IR U {±oo}. Second, we present 
translation algorithms that transform non-negative and non-positive SSP problems into 
SSP problems that satisfy the assumptions previously considered in the literature ^ 



This enables the use of several well-known techniques for the solution of non-negative 
and non-positive SSP problems, such as value iteration methods, and methods based 
on learning and sample path analysis (see again). The translation algorithms have 
strongly-polynomial time complexity in the size of the MDP being translated. As the 
algorithms never increase and often reduce the size of the MDPs, they also perform a 
beneficial pre-conditioning prior to the application of numerical solution methods. 

Finally, we apply the algorithms presented in this paper to the computation of the 
minimum and maximum probability of reaching a set of target states. The computation 
of the minimum reachability probability is useful for determining lower bounds for the 
probability of reaching desirable system configurations, or of accomplishing tasks from 
given starting points. The computation of the maximum reachability probability is one 
of the basic problems in probabilistic verification: aside from being of interest in its 
own right, it is at the basis of the algorithms for the determination of the maximum and 
minimum probability with which a linear-time temporal logic formula holds over an 
MDP While the maximum reachability probability can be computed with the 

algorithms of f, the proposed approach minimizes the size of the numerical problem 
to be solved. 



2 Preliminaries 

A Markov decision process (MDP) is a generalization of a Markov chain in which 
nondeterministic choice coexists with probabilistic one. Markov decision processes are 
closely related to the probabilistic automata of ^H^totl^ concurrent Markov chains 
of ^ 3 , and to the simple probabilistic automata of To present their definition, 

given a countable set C we denote by T>{C) the set of probability distributions over C, 
i.e. the set of functions f : C 1 -^ [0,1] such that /(^) ~ Given a distribution 

/ G T>(C), we indicate by Support(f) = {a; G C | f{x) > 0}. 

An MDP Ai = {S, Acts, A, p) consists of the following components: 

- a finite set S of states; 

- a finite set Acts of actions; 
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- a function A : S that associates with each s G S a finite set ^(s) C Acts 

of actions available at s; 

- a function/) : S x Acts i— > T>{S) that associates with each s,t G S and a G A(s) 
the probability /)(s, a)(t) of a transition from s to f when action a is selected. 

A path of the MDP A 4 is an infinite sequence uj : sq, oq, si, oi, . . . of alternating states 
and actions, such that Si G S, Ui G A(si) and p{si, ai)(si+i) > 0 for all i > 0. For i > 
0, the sequence is constructed by iterating a two-phase selection process. First, an action 
Qi G A(si) is selected nondeterministically; second, the successor state s^+i is chosen 
according to the probability distributionp(si, a). Given a path uj : sq, ag, si, ai, . . . and 
fc > 0, we denote by Xk(uj), Yk{uj) its fc-th state Sk and its fc-th action Ofc, respectively. 
Given a state s G S and an action a G ^(s) for s, we also denote by dest{s, a) = {f G 
S I p{s, a){t) > 0} the set of possible successors of s when a is selected. 

To be able to talk about the probability of system behaviors, we need to specify the 
criteria with which the actions are chosen. To this end, we use the concept of policy | ' ' | , 
closely related to the adversaries of and to the schedulers of A policy 

rjis a mapping rj : S~^ i— > T>{Acts), which associates with each finite sequence of states 
So, si, . . . , s„ G and each a G A(sn) the probability 77(50, . . . , s„)(a) of choosing a 
after following the sequence of states so, . . . , s„. We require that 77(30, . . . , s„)(a) > 0 
implies a G A(s„): a policy can choose only among the actions that are available at 
the state where the choice is made. We indicate with Fol the set of all policies. We say 
that a policy 77 is memoryless if 77(50, . . . , s„)(a) = rj{sn){a) for all sequences of states 
So, . . . , s„ G and all a G A(s). 

For every state s G S', we denote by Hg the set of paths having s as initial state, 
and we let Bg C be the cr-algebra of measurable subsets of fig, following the 
classical dehnition of Under policy 77 the probability of following a finite path 
prefix sottosioi • • • s„ is n”=o^ ai)(si+i) t]{sg ■ ■ ■ Si)(oi). These probabilities for 
prefixes give rise to a unique probability measure on Bg. We write Prg(yl) to denote 
the probability of event A in Qg under policy 77, and E^{/} to denote the expectation 
of the random function / from state s under policy 77. 

2.1 The Stochastic Shortest Path Problem 

An instance U — {S, Acts, A, p, R, c, g) of the stochastic shortest path problem consists 
of an MDP {S,Acts, A,p), together with the additional components R, c and g: 

- i? C S is the the set of destination states; 

- c : S X Acts 1-^ IR is the running cost function, that associates with each state 
s G S\R and each action a G ^(s) the cost c(s, a); 

- <7 : ii 1-^ IR is the terminal cost function, that associates to each s G i? its terminal 
cost g{s). 

We say that an instance of the SSP problem is non-negative (resp. non-positive) if 
c(s, a) > 0 (resp. c(s, a) < 0) for all s G S' and a G A(s); note that the sign of g 
is not relevant for this dehnition. 

The SSP problem consists in determining the minimum cost of reaching R when 
following a policy that reaches R with probability 1, provided such a policy exists. 
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Precisely, let Th(w) = min{fc | Xk{uj) G i?} be the position of first visit of a path in 
R. For all s € S' we denote by Prp{s) = {rj G Pol \ Pr^iTu < oo) = 1} the set of 
policies that lead from s to ii with probability 1 ; these policies are the proper policies 
for s. Given a state s G S, the cost v'] of a policy rj is defined by 

Tfl-l 

v^,=E:[g{XT^)+ ^ c{Xk,Yk)} . ( 1 ) 

k=0 

A policy p is optimal if v'^ = v* for all s G S \ i?. With this notation, the SSP problem 
consists in: 

1. determining the setQ = {sGS\i?| Prp{s) ^ 0} of states having at least one 
proper policy; 

2. computing the minimum cost v* = inf ^gprp(s) of a proper policy at all s G Q. 

Usually, the SSP problem is considered to consist only in the second question, and the 
existence of at least one proper policy for each state is stated as an assumption. How- 
ever, when the SSP problem is used to compute the minimum or maximum reachability 
times between an initial state and a set of target states that are part of a reliahility of 
performance specification, we cannot assume that the target set can he reached from 
the initial state with probability 1 . Hence, in Section^Jwe present an algorithm to 
solve also this first question. In addition, we will characterize the optimal policies for 
non-negative and non-positive SSP problems. 

SSP Problem and Reachability Time. In a timed probabilistic system, the timing behav- 
ior of an MDP {S, Acts, A, p) is specified by means of a function time : S x Acts H’*’ 
that associates with each s G S and a G A(s) the expected amount of time time{s, a) 
spent at state s when action a is selected Q. Given a set R of target states, to com- 
pute the minimum (resp. maximum) expected time to reach R it suffices to solve an 
SSP problem having cost functions defined by c(s, a) = time(s, a) (resp. c(s, a) = 
—time{s, a)) and g{s) = 0, for all s G S' and a G A{a). The minimum (resp. maxi- 
mum) expected time to reach R from s G S \ i? is then given by v* (resp. —v*). 

2.2 End Components 

The algorithms that we present to solve the classes of SSP problems rely on the notion 
of end component Q] . End components are the analogous concept in Markov decision 
processes of the closed recurrent classes of Markov chains they represent the set 
of states and actions that can be repeated infinitely often along a path with non-zero 
probability. Related sets of states have been used for solving optimization problems on 
MDPs []]. Given an MDP A4 = {S,Acts, A,p), a sub-MDP is a pair (C, D), where 
C C S' is a subset of states and D : S Acts is a function that associates to each 
s G S a subset D{s) C A(s) of actions. A sub-MDP (C, D) is an end component if the 
following conditions hold: 
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- Closure: for all s C C, a S D{s), and f S S', if p{s, a){t) > 0 then t G C. 

- Connectivity: Let E = {{s,t) G C x C \ 3a G D{s) . p{s, a){t) > 0}; then, the 
graph (C, E) is strongly connected. 

We say that an end component (C, D) is contained in a suh-MDP (C", D') if 

{(s, a)\sGCAaG D{s)} C {(s, a) \ s G C' A a G D' (s)} . 

We say that an end component (C, D) is maximal in a suh-MDP (C", D') if there is 
no other end component (C", D") contained in (C", D') that properly contains (C, D). 
We denote by Mec{C , D') the set of maximal end components of (C", D'). It is not 
difficult to see that, given a suh-MDP (C, D), the set Mec{C, D) can be computed in 
time polynomial in |C| -I- X^sgC I^(®) I using simple graph algorithms; an algorithm to 

do so is given in [jJ §3]. Given a path uj, denote by InfSiuj) = {s C S | 3 k . Xkiuj) = 

OO 

s} the set of states visited infinitely often by lo, where 3 is a shorthand for “there 

are infinitely many distinct”. Also, define InfAiuj) : S by {a G ^(s) |3 

k . Xk{oj) = s A Yk{uj) = a} for all s G S. The following theorem summarizes the 
basic property of end components f«~| . 

Theorem 1 . For all s G S and all rj G Pol, we have 

Pr^(^{InfS{uj),InfA{uj))is an end component^ = 1 . 

2.3 Computing the Set of States Having Proper Policies 

As a first step in the solution of the SSP problem, we must compute the set 

Reach{R) = {s G S' | 3?^ G Pol . Pr^(Tfl < oo) = l} 

consisting of the states having at least one proper policy. This problem can be solved by 
reducing it to several well-known dynamic programming problems, such as the max- 
imum average reward problem or the maximum reachability probability problem 
Q. However, these reductions yield algorithms that are based on linear programming, 
and their time complexity is only weakly polynomial, i.e. it depends on the size of the 
bit strings encoding the probability values in the input description of the problem. We 
present here an algorithm that solves the problem in time quadratic in the size of the 
MDP, and that does not require any numerical computation. The algorithm is originally 
from Q], and is related to an algorithm for solving reachability problems in two-person 
games presented in 1 1 1 I . The algorithm is also reminiscent of an algorithm indepen- 
dently proposed in |E| . To present the algorithm, given two subsets X,Y C S' of 
states we define the predicate APre(Y, X) so that for all s G S, 

s \= APre{X, Y) iff 3a G Gl(s) . {dest{s, a) CY A dest{s, a) n X 7 ^ 0) . 

Given a subset R of target states, we compute Reach{R) by the following ^-calculus 
expression: 



Reach{R) = uY . pX . (APre{Y, X) V R) , 



( 2 ) 
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where we have used the slightly improper notation of denoting by ii a predicate that 
holds exactly for the states in R. The algorithm Q can be understood as follows. Denot- 
ing by Yfc the value of the set Y computed at iteration k > 0, we have initially Tq = S. 
At the end of the first iteration, we have Yi = S\Cq, where Cq is the subset of states of 
S that cannot reach R. At the end of the second iteration, we have Y 2 = Yi\C\, where 
Cl is the set of states that cannot reach R without risking to enter Cq. In general, at the 
end of iteration fc > 0, we have Sk = Sk-i \ Ck-i, where Ck-i consists of the states 
that cannot reach R without risking to enter [J^Cq Ci. Given an MDP M = {S, A, p), 
define its graph size |AI| by 

l-^l = SsGsSaGA(s)| Support(p{s, a))\ . 

The following theorem summarizes the results about this algorithm. 

Theorem 2 . Given an MDP A4 = (S, A,p) and a set R C S of target states, relation 
Q correctly computes Reach{R) in time quadratic in \M.\. 

Once the set Reach{R) has been computed, we can replace the original SSP problem 
{S,Acts, A, p, R, c, g) with a new problem {Q,Acts, A' ,p' , R,c' , g'), where Q = 
Reach{R), where p', c', g' are the restrictions of p, c, g to Q, and where for all s G Q 
we let A'(s) = {a G ^(s) | dest{s, a) C Qj. To avoid a change of notation, in the fol- 
lowing we denote an instance of the SSP problem again by (S, Acts, A, p, R, c, g), but 
we assume that Reach{R) = S. This is equivalent to assuming that the above reduction 
has been made already. 



3 Solving Non-negative SSP Problems 



The class of SSP problems that is most closely related to the non-negative class, and 
for which solution methods have been presented in the literature, is discussed in ^ 



There, it is shown that the SSP problem can be solved under the additional assumption 
that, for all s £ S, there is a proper policy that minimizes the total cost An example 

of SSP problem in which this assumption does not hold is depicted in Figure^ Clearly, 
the policy that minimizes Q is the policy 771 that always chooses action a at S 3 ; this 
policy leads to the expected cost = 1. However, this policy is not proper, and it is 
easy to see that for every proper policy g it is = 3. 

To understand why the iterative approaches such as value iteration cannot be applied 
immediately to this problem, let n = [S' \ i?|, and denote with v = G M" 

a vector of real numbers indexed by the states of S' \ i?. Define the Bellman operator 
L : M" I--!- M" on the space of v by 



[Hv)i 



min 

aG A(s) 



c(s, a) 



tes\u teR 



sG S\R, 

(3) 



where [L(u)]g denotes the s-components of vector L{v). Given an initial vector 
the value iteration method computes the sequence of vectors . . . by = 

L{v^), for k > 0, and returns as answer limfc_>oo v^, provided the limit exists. The 
initial vector represents an initial (often arbitrary) estimate for the minimum ex- 
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Fig. 1. An instance of SSP problem. The target set is i? = { 54 }, and the terminal cost is 
g{s 4 ) = 0. States are represented as nodes of a graph, and actions as edges. We have 
indicated only the actions a and 6 corresponding to state S 3 , where ^(sa) = {a, 6}. In 
this example, all actions (including a and b) are deterministic, i.e. they lead to only one 
destination state. The actions are labeled with their cost c. The two actions having cost 0 
have been indicated with dashed lines. A larger Instance of SSP problem Is presented 
In Figure^ 



pected reachability cost; each iteration of the Bellman operator L is aimed at improving 
the estimate. Clearly, the answer returned by the value iteration procedure is a fixpoint 
of L. However, in non-negative SSP problems the Bellman operator L may admit more 
than one fixpoint: for example, in the SSP problem of Figure^ for a; > 0 all vectors 

u(a;) = [vi,V 2 , tra] = [3, 2, 2] - a;[l, 1, 1] (4) 

satisfy v = L{v). If L admits more than one fixpoint, the sequence v^, , . . . can 

converge to any one of them, depending on the value of the initial estimate In the 
example of Figure^ starting from the initial vector [0,0,0], the value iteration method 
converges to the fixpoint [1,0,0]. However, we will prove that the solution of the SSP 
problem corresponds to the largest fixpoint, which in this case is [3,2,2]. The fact that 
the Bellman operator does not necessarily admit a unique fixpoint in non-negative SSP 
problems not only prevents a direct application of value iteration methods, but also 
blocks the line of analysis of ^ for the solution based on linear programming. 

We present two approaches to the solution of non-negative SSP problems. The first 
approach is based on the observation that the difficulties in solving non-negative SSP 
problems stem from the presence in the SSP problem of end components consisting of 
state-action pairs having 0 cost. If we remove these components, we obtain an equiv- 
alent problem whose Bellman operator has a unique fixpoint; the problem can then be 
solved using any of several methods that have been developed for SSP problems, includ- 
ing linear programming and value iteration. This approach has two advantages. First, it 
enables to exploit in the solution of the SSP problem many numerical techniques that 
have been devised to handle large-sized problems. Second, the algorithm that removes 
the end components often achieves a reduction of the size of the problem. 

The second approach consists in reducing the SSP problem directly to linear pro- 
gramming: since the solution of the linear programming problem corresponds to the 
greatest fixpoint of the Bellman operator, as we will show, it also corresponds to the 
solution of the SSP problem. The correctness proof of this second approach relies on an 
analysis of the first approach. 
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3.1 Eliminating 0-Cost End Components 

A 0-cost end component is an end component (C, D) such that c(s, a) = 0 for all 
s £ C and all a £ D{s). As we will show (see Theorem^, the lack of uniqueness of 
the hxpoint is due to the presence of 0-cost end components in the MDR In a 0-cost 
component (C, D), by selecting at each s £ C the actions in D{s) uniformly at random, 
we can go from any state of C to any other state of C with probability 1 while incurring 
cost 0. Hence, the states of a 0-cost end component are equivalent from the point of 
view of the minimum cost to the target. The following algorithm exploits this fact to 
eliminate the 0-cost end components of an MDP by replacing them with single states. 
The algorithm opens the way to the use of iterative methods based on the Bellman 
operator for the solution of the non-negative SSP problem. 

Algorithm 1 (Eliminating 0-Cost End Components). 

Input: SSP problem II = {S,Acts, A,p, R, c, g). 

Output: SSP problem 7T — ElimEC{II) = {S,Acts,A,p,R,c,g). 

Method: For each s S S'\i?, let D{s) = {a £ A(s) | c(s, a) = 0}, and let { (Hi , Di ) , 

. . . , {Bn, Dn)} — Mec{S \ R, D) be the set of 0-cost maximal end components 
that lie outside R. Define S = S A {si , . . . , s„} \ Ur=i where si , . . . , are 
new states. The action sets associated with the states are defined by: 

S G ^ \ ur=i : ^(s) = {(s, a) I a G A(s)} 

1 < z < n : ^(si) = {(s, a) I s G Hi A a G A(s) \ Hi(s)} . 

For s £ S, t £ S \ Ur=i G the transition probabilities are 

defined by p(s, (m, a)) (f) = p{u,a){t) and p(s, (u, a))(si) = 

For s £ S and (u,a) £ A(s) we let c(s, (u,a)) = c(u,a); for s G R we let 
g(s) = g(s). I 

The algorithm replaces each 0-cost end component (Hi, Hi) with a single new state s'i, 
for 1 < z < n. The actions associated with s) consist in all the pairs (t, a) such that 
s £ Ci and a £ A(s) is an action not belonging to the end component. Intuitively, tak- 
ing action (s, a) at 'si corresponds to taking action a from s, possibly leaving Ci. The 
transition probabilities and costs of the corresponding actions are unchanged, except 
that the probability of a transition to Si is equal to the probability of a transition into Ci 
in the original system, for 1 < z < zz. The result of applying AlgorithmHto the instance 
of SSP depicted in FigureOis illustrated in Figure^ The (maximal) end component 
formed by states S2 , S3 together with the 0-cost actions has been replaced by the single 
state Si . FigureHdepicts another example of application of Algorithnfl The algorithm 
computes the 0-cost end components (Hi, Hi), (H2, H2), where the first end compo- 
nent is given by Hi = {S3, S4, S7} and Hi (S3) = {d},E>i(s4) = {k},E>i(sr) = {j}, 
and the second one by H2 = {ss, sq} and 02 ( 35 ) = {/}, 02 ( 35 ) = {g}. The algo- 
rithm replaces these end components with the two new states ?i and S2 . This example 
illustrates the potential reduction of the state-space of the system. 

Once the 0-cost end components have been eliminated, the next lemma shows that 
the reduced problem satisfies the following two assumptions: 
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Fig. 2. Result of applying Algorithmjto the instance of SSP problem depicted in Fig- 
ure0 The new state si introduced by the aigorithm is drawn as a filled circle. 





Fig. 3. An instance of SSP problem (left), and the result of applying Algorithm^to it 
(right). Here, not all actions are deterministic, and we depict actions that can lead to 
more than one destination by “bundles” of edges. To simplify the diagrams, we have 
indicated only the transition probabilities corresponding to action and we have omitted 
all costs. The actions that have cost 0 have been represented by dashed edges. The 
target set \s R = {sg}. The new states si and S 2 that have been introduced to replace 
the zero-cost end components are indicated by filled circles. 



SSP-1 For all s G S', we have Prp{s) ^ 0. 

SSP-2 For all s G S and r\ ^ Prp{s), we have v'^ = oo. 



Lemma 1 . Consider an instance U of non-negative SSP problem such that there is 
at least one proper policy for each state, and let U = ElimEC{II). Then, U satisfies 
assumptions SSP-1 and SSP-2. 

Proof. By hypothesis (or more accurately, hy the algorithm presented in Sectiori^3, II 
satisfies SSP-1. By Theorem^ the set of states and actions that are repeated infinitely 
often along a path is an end component. Hence, if all 0-cost end components have been 
eliminated, with probability 1 a path that does not reach R has infinite cost, showing 
that n satisfies SSP-2. I 

The class of SSP problems that satisfies assumptions SSP-1 and SSP-2 has been 
studied in depth in the literature. In particular, it is known that the Bellman operator 
admits a unique fixpoint for this class of problems, and that there exist optimal policies 
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that are memoryless Moreover, such problems can be solved using value-iteration 
and policy-iteration methods, which converge to the solution Q. Other rehned itera- 
tive methods for the solutions of this class of problems are presented in fl. As hinted 
by LemmaJ the uniqueness of the lixpoint of the Bellman operator is related to the 
presence of 0-cost end components. 

Theorems . Given a non-negative instance (S,Acts, A,p, R^c, g) of SSP problem, 
the Bellman operator L admits a unique fixpoint iff there is no 0-cost end component 
(C, D) with C CS\R. 

Proof. In one direction, assume that a non-negative instance of SSP problem does not 
contain any 0-cost end component. Reasoning as for LemmaJ we have that assump- 
tion SSP-2 holds. If assumption SSP- 1 also holds, then the uniqueness of the fixpoint 
follows from Q. If assumption SSP-1 does not hold, then assumption SSP-2 ensures 
that the hxpoint of the Bellman operator diverges to -boo on the states where there is 
no proper policy. This, together with the analysis of | for the states where there are 
proper policies, ensures again the uniqueness of the fixpoint. Conversely, if there is a 
0-cost end component in a non-negative SSP problem, then we can obtain multiple fix- 
points of the Bellman operator by selecting one such end component, and by setting the 
value of the fixpoint there to any negative value, as done in Q. I 

The following theorem relates the solutions of the SSP problems U and II, and it 
enables the (trivial) derivation of a solution for II from a solution for II. 

Theorem 4 . Consider an instance II of non-negative SSP such that there is at least 
one proper policy for each state, and let II = ElimEC{II). Let also , Bn be the 

0-cost end components that are replaced by states s"i, . . . , s„. Denoting by v* (resp. v* ) 
the solution of the SSP problems on II ( resp. II ), we have v* = v^ for s G S\ Ur=i 
and vl = vi, for s € Bi, 1 < i < n. 

Even though it might appear intuitively plausible that eliminating the 0-cost end com- 
ponents should not modify the solution of the SSP problem, the proof of the above 
theorem is somewhat involved; it can be found in Q. The same analysis also leads to 
the following result. 

Corollary 1 . Non-negative SSP problems admit memoryless optimal policies. 

3.2 Linear Programming 

The second approach is given by the following theorem. 

Theorem 5 . Consider an instance II of non-negative SSP such that there is at least 
one proper policy for each state. Then, the solution v* of the SSP problem is the largest 
fixpoint of operator L defined in Q. Moreover, the following linear programming prob- 
lem has V* as unique solution: 

Maximize Vs subject to Vg < c(s, a) + E p{s, a)(t) Vt + ^p{s, a){t) g{t) 
seS\R teS\R t&R 



for all s G S\R and a G ^(s). 
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Proof. The theorem is proved by showing hrst that every fixpoint of the Bellman oper- 
ator Q is no greater (componentwise) than the solution of the SSP problem. Next, we 
use the relationship between II and II — ElimEC{II) to show that one of the fixpoints 
is equal to the solution of the SSP problem; this implies that the solution of the SSP 
problem is the largest fixpoint. Finally, it can be shown that the linear programming 
problem converges to the largest hxpoint, and thus to the solution of the SSP problem. 
The details can be found in Q]. I 

4 Solving Non-positive SSP Problems 



Consider an instance II = {S,Acts, A,p, R, c, g) of non-positive SSP problem, and 
assume that S = Reach{R), i.e. that for every state there is a proper policy. Unlike in 
the non-negative case, it is possible that v* = —oo for some s S S \ R, and the first 
step towards the solution of non-negative SSP problems consists in determining the set 
of states from which the minimum cost diverges to — oo. This can be done with the 
following algorithm. 

Algorithm 2 . 

Input: A non-positive SSP problem 7T = {S,Acts, A,p, Rc, g),withReach{R) = S. 
Output: The subset Z)iverge(7T) = {s | t;* = — oo}. 

Method: Let £ := {(C, D) G Mec{S \ iJ, A) | 3s G C . 3a G D{s) . c(s, a) < 0} 
be the set of end components outside R that have at least one strictly negative state- 
action pair, and let C = d)^c ^ ’■1^® union of their states. 

Let Coo = . (j^R A {APre{S, X) V C)) be the set of states that can reach C 

without entering R. 

Return: Coo. I 



Theorem 6 . For an instance II of non-positive SSP such that S — Reach(R), we 
have thatvl = — oo iffs G Diverge{II). 

Proof. From a state s G Diverge{II), we can reach with positive probability an end 
component in £. Once there, we can stay in the end component arbitrarily long, accu- 
mulating an arbitrarily large amount of negative cost, before proceeding to the target. 
Hence, we have v* = — oo. The details can be found in Q]. The proof of the converse, 
i.e., that if s ^ Diverge{II) then > — oo, will be given in Section^J I 

Once the set Diverge{II) has been computed, it remains to compute v* for s G 
S \ {RU Diverge{n)) . To this end, we first reduce the SSP problem by eliminating 
the states in Diverge{II). We define a new instance of SSP II = Converge{II) = 
{S,Acts, A,p, R,c,g), where S = S\ Diverge{II), where p, c, g are the restrictions of 
p, c, g to S, and where for all s G S' we let A(s) = A(s). The reduced non-positive SSP 
problem can then be solved in three ways: by eliminating the 0-cost end components, 
by linear programming, and by value iteration. 
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4.1 Eliminating 0-Cost Components 

The first method for solving the reduced problem consists in eliminating the 0-cost end 
components using Algorithmjto compute II — ElimEC{n). The following theorem 
asserts that II satisfies conditions SSP-1 and SSP-2: hence, the SSP instance II can be 
solved with the methods presented in | ^ BDl - 

Theorem 7 . The non-positive SSP instance II = ElimEC{II) satisfies conditions 
SSP-1 and SSP-2. Moreover, let Bi, , Bn be the 0-cost end components that are re- 
placed by states fii, . . . ,'sn- Denoting by v* ( resp. v* ) the solution of the SSP problems 
on n (resp. II), we have v* = for s G S \ U”=i ~ fa’’ ® ^ Bi, 

I < i < n. 

Proof. Since the costs are non-positive, the cost from a state never diverges to -boo. 
Hence, by Theorem^ a non-positive instance satisfies condition SSP-2 iff there are no 
end components entirely outside of the target R. To see that this condition holds for 
n, note that the end components containing some negative cost have been eliminated 
by Algorithm^ while those consisting entirely of 0-cost state-action pairs have been 
eliminated by Algorithm^ The second part of the result is proved in an analogous way 
to TheoremJ and the proof can be found in [J]. I 

Theorem^also leads to the second part of Theorem^ If s ^ Diverge{II), then 
s G S. The fact that assumptions SSP 1 and SSP 2 hold for II, together with the results 
ofQ , ensures then that v* > —oo. 

Theorem 8 . An instance of non-negative SSP problem II admits memoryless optimal 
(proper) policies iff Diverge(II) — 0. In any case, there is always a (possibly non 
memoryless) optimal proper policy. 

Proof. To see that if Diverge{II) ^ 0, then there are no memoryless optimal policies, 
refer to Algorithm^ Since under a memoryless policy the MDP behaves like a Markov 
chain, under a memoryless proper policy each path stays for a finite expected amount of 
time in the end components in C before reaching R, so that v'^ > —oo for all s S S' \ i?. 
On the other hand, there is a (non-memoryless) policy such that, once we reach an end 
component in £, we stay for infinite expected time in the end component (accumulating 
an infinite expected cost) before reaching the target with probability 1 . The proof that if 
Diverge{n) = 0 there are memoryless optimal policies can be found in jj^. I 

4.2 Linear Programming 

Reasoning as in the proof of TheoremJ it is possible to show that the solution of the 
SSP problem corresponds to the largest fixpoint of the Bellman operator. The solution 
can thus be computed by linear programming. 

Theorem 9 . Consider an instance II of non-positive SSP problem such that II = 
Converge(n), and such that there is at least one proper policy for each state. Then, the 
solution V* of the SSP problem is the largest fixpoint of operator L o/H. Moreover, 
the following linear programming problem has v* as unique solution: 
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Maximize Vg subject to Vs<c{s,a) + E p(s, a){t) Vt + a){t) g{t) 

seS\R teS\R t&R 

for all s € S \ R and all a € A(s). 

4.3 Value Iteration 

The third way to solve the reduced problem is by value iteration. Convergence to the 
solution of the SSP problem can be ensured simply by using an initial estimate that 
is identically 0. 

Theorem 10 . Consider an instance U of non-positive SSP such that U = 
Converge(n), and such that there is at least one proper policy for each state. Then, 
the solution of the SSP problem is given by limfc^oo L^{0), where 0 is the vector all 
whose entries are 0. 

Proof. The theorem follows from the fact that, in a non-positive SSP problem, all hx- 
points of the Bellman operator are componentwise smaller or equal to 0. Since the 
solution computed by Theorem ^Jis the largest such hxpoint, by TheoremHit is also 
the solution of the SSP problem. I 



5 Maximum and Minimum Reachability Probabilities 

An instance A = {S,Acts, A,p, T) of the maximum or minimum reachability problems 
consists of an MDP II = {S,Acts, A,p) together with a destination set T. The max- 
imum and minimum reachability probability problems consists in determining, for all 
s G S, the values 

uf = sup Pr^(3fc . Xk G T) uj = inf Pr^(3fc . Xk G T) . 

n<zpoi vePoi 

Let Z C S he the subset of states that cannot reach T (so that = 0 for s G Z). 
From Q, we know that the maximum reachability probability can be solved using a 
linear programming problem on the set of variables {ug \ s G S \{T U Z)}. Flere, we 
show how our results on the SSP problem can be used to improve the efficiency of that 
solution, as well as to solve the minimum reachability probability problem. 

Maximum Reachability Probability. To reduce the maximum reachability probabil- 
ity problem to the SSP problem, we construct from the instance A an SSP instance 
n = Ssp~^{A) = {S,Acts, A,p, R, c, g), where R := Reach{T) U Z, the cost c is 
identically 0, and the terminal cost is defined by g{s) = —1 for s G Reach{T), and 
g{s) = 0 for s € Note that A is both a non-negative and a non-positive instance of 
SSP problem. The following theorem relates the two problems. 

Theorem 11 . If II = Ssp~^{A), then uf = —v* for all s G S \ R, where uf is 
computed on A and v* on U. 
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Proof. Since every state of S' \ i? can reach R, we have that Reach{R) = S, so that 
every state of S has a proper policy. From a memoryless optimal policy rjs for the 
SSP problem, we can construct a policy rjr that coincides with rjs on S \ R such that 
— = u']’', yielding —v* < uf for all s G S \ T. In the other direction, consider 
a memoryless policy r]r optimal for reachability (we know from | that such a policy 
exists). We have = —v']^ for all s G S \T. Moreover, is proper, since every 
state of S \ i? can reach T with positive probability. This yields the reverse inequality 
—v*>uf for all s G S \ i?, and hence the result. I 

Note that we have used algorithm | to reduce the size of the set of states on 
which the maximum reachability probability must be determined, from S' \ (T U 
to S \ {Reach(T) U Z). Theorem^Jopens the way to the application of Algorithm^ 
for the solution of maximum reachability probability problems. Since the running cost 
c is identically 0, the algorithm eliminates all end components of the MDP that lie com- 
pletely outside of Reach{T) U Z, achieving a further potential reduction in the size of 
the problem. 

Minimum Reachability Probability. Let {(Ci, Di ), . . . , (C„, Dn)} — Mec{S \ T, A) 
be the set of maximal end components lying outside T, and let C = Ur=i 
union of their states. Clearly, from Z U C the minimum probability of reaching T is 0. 
Moreover, the MDP does not have any end component completely contained in S\ (TU 
Z U C). From the instance A = {S,Acts, A,p, T) we construct an SSP instance U = 
Ssp~{A) = {S,Acts, A,p, R, c, g), where R := T U Z U C , the cost c is identically 0, 
and the terminal cost is defined by g{s) = 0 for s G Z U C, and g{s) = 1 for s G T. 
The following theorem relates the two problems, and it enables the computation of the 
minimum probability of reaching the target. 

Theorem 12 . If U — Ssp~(A), then uf = v* for all s G S, where uf is computed 
on A and v* is computed on U. 

Proof. The proof of the theorem follows from the fact that all policies of II are proper, 
and from the observation that from a policy ps of II, we can easily obtain a policy pr 
for A such that = v’^‘ for all s G S, and vice versa. I 

In this case, Algorithmjcannot be used to reduce the size of the problem, since 
there are no end components in S' \ ii. The reduction has been effected in a more direct 
way by adding the set C to the set of target states of the SSP problem. 

Optimal Policies. The maximum and minimum reachability problems admit memory- 
less optimal policies. This result is proved in 
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Abstract. Modular techniques for automatic verification attempt to overcome 
the state-explosion problem by exploiting the modular stmcture naturally present 
in many system designs. Unlike other tasks in the verification of finite-state sys- 
tems, current modular techniques rely heavily on user guidance. In particular, the 
user is typically required to construct module abstractions that are neither too de- 
tailed as to render insufficient benefits in state exploration, nor too coarse as to 
invalidate the desired system properties. In this paper, we construct abstract mod- 
ules automatically, using reachability and controllability information about the 
concrete modules. This allows us to leverage automatic verification techniques 
by applying them in layers: first we compute on the state spaces of system com- 
ponents, then we use the results for constructing abstractions, and finally we com- 
pute on the abstract state space of the system. Our experimental results indicate 
that if reachability and controllability information is used in the construction of 
abstractions, the resulting abstract modules are often significantly smaller than 
the concrete modules and can drastically reduce the space and time requirements 
for verification. 



1 Introduction 

The single largest obstacle to the use of automatic methods in system verification is 
the state-explosion problem, which is the exponential increase in the number of system 
states caused by a linear increase in the number of system components or variables. 
Modular verification techniques attempt to overcome the state-explosion problem by 
exploiting the modular structure naturally present in most system designs. The basic 
idea is to analyze each module of the system separately, perhaps together with an envi- 
ronment that represents a simplified model of the rest of the system; the results obtained 
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for the individual modules are then combined into a single result about the compound 
system. Unlike other tasks in the verification of finite-state systems, which have been 
largely automated, current modular verification techniques still rely heavily on user 
guidance. Aside from deciding how to break up a system into modules, the user also 
has to specify the environment in which to study each module, which is usually a dif- 
ficult task. In this paper, we present an approach to modular verification that is almost 
entirely automatic, leaving to the user only the task of specifying which variables of a 
module should be relevant to the other modules. 

For each concrete module, we erase some variables to construct an abstract module, 
which has a smaller state space; the abstract module is then used to replace the con- 
crete module in the verification process. If this approach is pursued naively, typically 
one of two things happens. Either one abstracts only variables that do not influence 
the property to be verified, which is certainly prudent but more often than not leads to 
insufficient savings, or one abstracts variables that do influence the desired property, 
in which case the abstract module may violate the property even though the concrete 
module does not. We take the second route, but use additional information about the 
concrete module in order to construct more useful abstractions than could be achieved 
by simply erasing variables. In the most basic variation of our method, we use reach- 
ability information about the concrete module when erasing variables to construct an 
abstraction. In a more advanced variation, we also use controllability information about 
the concrete module with respect to the desired property. In all cases, the additional 
information we use can be obtained fully automatically by looking only at individual 
modules and the property to be verified — there is no need to involve the compound 
system. Our experimental results indicate that the use of reachability and controllabil- 
ity information can lead to dramatic improvements in verification: the resulting module 
abstractions are often much smaller than the concrete modules yet still preserve the 
desired property. 

Our model of computation is that of transition systems defined over finite sets of 
state variables. We describe systems as the parallel composition of one or more mod- 
ules. A module P — (Vp, /p, Tp) consists of a set Vp of variables, partitioned into in- 
put and output variables, an initial predicate Ip over Vp defining the initial states of P, 
and a transition predicate Tp over VpU Vp defining the possible state transitions of P in 
terms of their source states (over Vp) and destination states (over Vp = {x' \ x & Vp}). 
We consider systems consisting of non-blocking modules, in which every state has a 
successor, regardless of the inputs to the module. The semantics of parallel composi- 
tionis conjunction: P\\Q = (Vp U Vq, Ip A Iq, Tp A Tq). For the sake of simplicity, 
in this paper we focus on Moore modules, for which the outputs during a transition de- 
pend only on the source state of the transition. Our approach can be adapted with only 
minor modifications to Mealy-type modules, such as the Reactive Modules of Q]. We 
consider the verification of invariance properties. An invariance property for the module 
P is specified by an invariant predicate (p over Vp. The module P satisfies the invariant 
predicate ip, written P ^ Up>, if P never leaves the set of states defined by ip. 

Consider a system P \ \Q consisting of two modules P and Q, and a desired in- 
variant predicate p for P\\Q. To check if P || Q H without constructing the 
global state space of P || Q, we can remove a subset Wp C Vp of the variables 
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of P and a subset Wq Q Vq of the variables of Q. Formally, the abstract module 
(3Wp.P) = (Vp\Wp,3>Vp . /p,3Wp3>Vp . Tp) is constructed by existentially 
quantifying the removed variables in the initial and transition predicates; we say that 
(3 Wp.P) is obtained by erasing from P the variables in Wp. Then we can attempt to 
use the following standard inference rule: 

(3>Vp.P) II (3 Wq.Q) ^ 

PWQ^Oip 

This rule is sound, because every reachable state of the concrete system P\\Q corre- 
sponds to a reachable state of the abstract system (3 Wp.P) || (3 Wq.Q). The efficiency 
advantage of the rule stems from the fact that the premise involves fewer variables than 
the conclusion, reducing the size of the state space to be explored. Flowever, the premise 
may fail even though the conclusion holds, because there may be many reachable states 
of the abstract system that do not correspond to reachable states of the concrete system. 
In fact, it is often impossible to choose suitable, reasonable large sets Wp and Wq, 
because modular designs aggregate naturally within each module only closely inter- 
dependent variables. By erasing such dependencies between variables, the number of 
transitions of the abstract system grows quickly to the point of violating all but trivial in- 
variants. Our goal is to conhne this growth in abstract transitions by utilizing additional 
information about the component modules P and Q. 

More precisely, a state s of P can be written as a pair s = (sa, Sw), where Sa is 
a state over the set Vp\Wp of variables, and is a state over the set Wp of erased 
variables. The abstract module (3 Wp.P) contains a transition from source state Sa 
to destination state iff the concrete module P contains a transition from (Sa, s^) 
to (s'^, s'^) for some Sw and As a first improvement, we can include a transition 
from Sa to s'a in the abstract module only if, for some s^ and s '^ , there is a transition 
from (sa, Syj) to (s^, s'^) in the concrete module and the state (sa, Sw) is reachable 
in the concrete module. This is because it is certainly not useful to include abstract 
transitions that have no reachable concrete counterparts. To this end, we compute a 
predicate Pp over Vp that defines the reachable states of P. The predicate Pp can 
be computed using standard state-space exploration (symbolic or enumerative). Our 
experiments based on symbolic methods indicate that this computation is efficient, since 
the module P is considered in isolation. From the predicate Pp we construct the module 
(P & Pp) = (Vp, Ip,Tp A Pp), which is like P, except that it allows only transitions 
from reachable states. After erasing the variables in Wp, we obtain the abstract module 
(3 Wp.(P& Pp)). In a similar way, we compute the reachability predicate Rq for 
Q and construct the abstract module (3 Wq.{Q & Rq))- To complete the verification 
process, we then use the following rule: 

(3 Wp.(PfePp)) II {3Wq.{Q Rq)) 1= □(/? 

Since the systems P || Q (P & Pp) || {Q & Rq) have the same reachable states, rule 
B is sound. As we shall see, unlike the simplistic rule Q, the improved rule 0 can of- 
ten be successfully applied even when the sets Wp and Wq include variables that con- 
tribute to ensure the invariant tp. Yet the savings in checking the premise of rule Q are 
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just as great as those for checking the premise of the earlier rule f , because the same 
sets of variables are erased. In other words, (3 Wp.{P & Rp)) || (3 Wq.{Q & Rq)) is a 
more accurate but no more detailed abstraction of P || Q than is (3 Wp.P) || (3 Wq-Q). 
In our experiments we shall obtain dramatic results by applying rule Q with the simple 
heuristics of erasing those variables that are not involved in the communication between 
P and Q. While reachability information is often used in algorithmic verification, the 
novelty of rule Q consists in the use of such information for the modular construction 
of abstractions. 

The effectiveness of a rule such as f or Q is directly related to the number of vari- 
ables that can be erased in a successful application of the rule. Rule Q improves on rule 
H by using reachability information about the individual modules in the construction 
of the abstractions, which usually permits the erasure of more variables. It is possible 
to further improve on the rule ^ by using, in addition to reachability information, also 
information about the controllability of the individual modules with respect to the spec- 
ification Utp. This improvement is based on the following observation. The predicate 
Rp used in Q defines the reachable states of P when P is in a completely general en- 
vironment. However, the module P may exhibit anomalous behaviors in a completely 
general environment; in particular, more states may be reachable under a completely 
general environment than under the specific environment provided by Q- Of course, we 
do not want to compute the reachable states of P when P is composed with Q\ doing 
so would require the exploration of the state space of the global system P \\Q, which 
is exactly what our modular verification rules try to avoid. To study the module P un- 
der a suitable confining environment, while still avoiding the exploration of the global 
state space, we consider the module P in the most general environment E that ensures 
the invariant that is, E is the least restrictive module such that P\\E\^ Up. In 
practice, we need not construct E explicitly, but compute only the predicate Dp that 
defines the set of reachable states of P || i3. Since E is more restrictive than the com- 
pletely general environment, the predicate Dp is stronger than Rp, and the implication 
Dp — > Rp holds. The algorithm for computing Dp follows from the standard game- 
theoretic algorithm for computing the set of states of the module P that are controllable 
with respect to the invariant ip; it can be implemented symbolically or enumeratively, 
with a time complexity that is linear in the size of the state space of P [^]. This leads to 
the following modular verification rule: 

{Ip A Iq) {Dp A Dq) 

P\\{3WQ.{QkDQ))^aDp 

Q\\{3Wp.{PkDp))[=nDQ 

where Wp C Vp and Wq C Vq. The soundness of this rule depends on an inductive 
argument, and it will be proved in detail in the paper. Essentially, the first premise en- 
sures that the modules P and Q are initially in states satisfying Dp A Dq. The second 
premise shows that, as long as Q does not leave the set defined by Dq, the module P 
will not leave the set defined by Pp; the third premise is symmetrical. As the implica- 
tions Dp — !■ if and Dq ip hold, the three premises lead to the conclusion. The rule 
is in fact closely related to inductive forms of assume-guarantee reasoning | "• H ' . 
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The use of the stronger predicates Dp and Dq in the second and third premises of 
the rule Q potentially enables the erasure of more variables compared to the earlier 
rule Q. However, in rule Q this erasure can take place only on one side of the parallel 
composition operator or, in the case of multi-module systems, for all modules but one. 

While automatic approaches to the construction of abstractions for model check- 
ing have been proposed, for example, in these approaches do not exploit 

reachability and controllability information in a modular fashion. In particular, instead 
of the standard principle “first abstract, then model check the abstraction,” our approach 
follows the more refined principle “first model check the components, then use this in- 
formation to abstract, then model check the compound abstraction.” In this way, our 
modular verification rules are doubly geared towards automatic verification methods: 
state-space exploration is used both to compute the reachability and controllability pred- 
icates, and to check all temporal premises (those which contain the \= operator). It is 
worth pointing out that nontemporal premises would result in rules that are consider- 
ably less powerful. For example, suppressing variable erasures, the temporal premise 
{P & Rp) II (Q & Rq) ^ Uif of rule Q is weaker than the two nontemporal premises 
Ip A Iq ^ ip and ip A Rp A Tp A Rq A Tq — > (/?' would be (here, p' results from 
p by replacing all variables with their primed versions). Similarly, the second premise 
of rule Q is weaker than the two nontemporal premises Ip A Iq — > Dq A Dp and 
Dp ATp A Dq ATq ^ Dp would be. It is easy to find examples where our temporal 
premises apply, but their nontemporal counterparts do not. 

The outline of the paper is as follows. After introducing preliminary definitions in 
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we develop the technical details of the proposed modular verification rules in 
The verification rules have been implemented on top of the MoCHA model 
using BDD-based fixpoint algorithms for the computation of the reacha- 
bility and controllability predicates. In SectionBwe discuss the implementation of the 
verification rules, and we describe the script language we devised in order to be able 
to experiment efficiently with various modular verification techniques. In Section B 
we present experimental results for three examples: a demarcation protocol used to 
maintain the consistency between distributed databases B> ^ token-ring arbiter, and 
a sliding-window protocol for data communication We conclude the paper with 
some insights gathered in the course of the experimentation with the proposed verifica- 
tion rules. 



2 Modules 

Given a set V of typed variables with finite domain, a state s over V is an assignment 
for V that assigns to each a; € V a value s|a;]. We also denote by V' = {a;' | a; G V} 
the set obtained by priming each variable in V. Given a predicate H over V, we denote 
by H' the predicate obtained by replacing in H every x G V with x' G V' . Given a set 
A and an element x, we often write A\a; for A\{a;}, when this generates no confusion. 
A module P — {Cp, Sp, Ip, Tp) consists of the following components: 

1. A (finite) set Cp of controlled variables, each with finite domain, consisting of the 
variables whose values can be accessed and modified by P. 




Automating Modular Verification 



87 



2. A (finite) set £p of external variables, each with finite domain, consisting of the 
variables whose values can be accessed, but not modified, by P. 

3. A transition predicate Tp over Cp U £p U C'p. 

4. An initial predicate Ip over Cp. 

We denote by Vp = Cp U £p the set of variables mentioned by the module. Given a 
state s over Vp, we write s ^ /p if Ip is satisfied under the variable interpretation 
specified by s. Given two states s, s' over Vp, we write (s, s') ^ Tp if predicate Tp 
is satisfied by the interpretation that assigns to a; S Vp the value s|a:], and to x' G V'p 
the value s'W. A module P is non-blocking if the predicate Ip is satisfiable, i.e., if 
the module has at least one initial state, and if the assertion VVp . 3C'p . Tp holds, 
so that every state has a successor. A trace of module P is a finite sequence of states 
soj Si, S 2 , . . .s„ G States(Vp), where n > 0 and (sfc, Sk+i) H all 0 < fc < n; 

the trace is initial if sq \= Ip. Two modules P and Q are composable if Cp n Cq = 0; 
in this case, thtir parallel composition P || Q is defined as: 

P\\Q = [Cp U Cq, [£p U £q)\[Cp U Cq)Jp A /q, Tp A Tq) . 

Given a module P and a predicate H over Vp, we denote by 
[PkH) = (Cp,£p,/pAP,PpAP) 

the module like P, except that only transitions from states that satisfy H are allowed. 
Given a module P and a set W of variables, we let 

(3 W.P) = (Cp\W, £p\W, 3W . Ip, 3W, W' . Tp) 

be the module obtained by erasing the variables W in P. Note that the module (P & H) 
can be blocking even if module P is non-blocking. On the other hand, the parallel 
composition of non-blocking modules is non-blocking, and a module obtained from a 
non-blocking module by erasing variables is also non-blocking. 

A state of a module P is reachable if it appears in some initial trace of P. We 
denote by Reach(P) the predicate defining the reachable states of P; this predicate can 
be compute using standard state-space exploration techniques Q. Given a module P 
and a predicate ip, the relation P \= Up holds iff the implication Reach(P) — > tp is 
valid. In this paper, we present modular techniques for verifying whether the relation 
-Pi II • ■ • II Pn H holds, where Pi, P 2 , ..., Pn are composable modules, for n > 0, 
and where ip is defined over the set of variables lj”^i Vp^. This verification problem is 
known as the invariant verification problem, and it is one of the most basic problems in 
formal verification. 

3 Modular Rules for Invariant Verification 

In this section, we present three modular rules for the verification of invariants; the 
rules are presented in order of increasing sophistication, and of increasing ability of 
successfully erasing variables. The first rule is a standard rule based on the construction 
of abstract modules: 

(314^1. Pi) II • • • II [3Wn-Pn) h HT 

Pi II • • • II p„ h nv 



(4) 
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The second rule is derived from the above rule, by using in the construction of the 
abstract modules also information about the reachable states of the concrete modules. 
The third rule constructs the abstract modules using both reachability and controllability 
information about the concrete modules. 

3.1 Reachability-Based Abstractions 

In order to improve the ability of rule to successfully erase variables, we construct 
the abstract modules using reachability information about the concrete modules. Hence, 
we formulate the following modular verification rule: 

{3Wi.{PikReach{Pi))) |j • • • || (3 W„.(P„ h 
Pl\\---\\Pn^ 

This rule is sound. The rule is also complete, since whenever the conclusion holds, the 
premise also does, with the choice Wi = • • • = = 0. Our experiments indicated 

that rule Q is often surprisingly effective in enabling the successful erasure of vari- 
ables, leading to dramatic savings in the space and time requirements of verification. 
We illustrate this with an example. 

Example 1 . This example is a simplified version of the token-ring example presented 
in Section^ Consider a system composed of two modules P and Q that circulate a 
token through a 4-phase handshake protocol. The module P has controlled variables 
Cp = {granti,acki, Xi, yi, ci} and external variables £p = {grant2, ack2}. All vari- 
ables are boolean, except for ci that has domain {0, 1, 2, 3}. The module Q is defined 
similarly, except that the subscripts 1 and 2 are exchanged. Intuitively, grant 2 and acki 
form the handshake that passes a token from Q to P. Once the token arrives into P, it is 
stored first in a;i, then in yi. The handshake variables grant ^ and ack 2 are used to pass 
the token back to Q. The variable ci is an auxiliary variable that records the number of 
tokens in P. The initial condition of P is /p : -^ackiA^grantiAxiA—^yiA{ci — 0);the 
initial condition of Q is /q : ^ack 2 A^grant 2 A^X 2 A^y 2 A{c 2 = 0), so that the token is 
initially in a;i. We present the transition predicate of P in guarded-commands notation, 
with the convention that the values of the variables not mentioned in the assignments 
are not modified, and that the command to be executed is chosen nondeterministically 
among those whose guards are true: 

I grant2 A ^ack\ A -^X\ 

I ~^grant 2 A ack\ 

I xi A ^yi 

I ^grant^ A ^ack2 A yi 
I grant I A ack 2 
1 T 

The transition predicate of Q is identical, except that the subscripts 1 and 2 are ex- 
changed. The invariant is ip : [(ci + C 2 ) mod 4 < 2], and states that there is at 
most one token. To verify that P\\Q \= Uip, we can apply rule 0 with sets of erased 



— > ack\ := T; x\ := T; c'l := (ci 3- 1) mod 4 
— > ack'i := F 
> x[ := F; y[ := T 

> grant[ := T; y[ := F; c[ := (ci — 1) mod 4 

> grant'i := F 
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variables Wp = {xi^yi] and Wq = {a; 2 , 2 / 2 }- Hence, we are able to erase all the 
variables that are not used for communication, and that do not appear in the invariant. 
The intuition is that, once the value of ci is known, the predicate 

Reach{P) : (ci = 0 A -^X\ A ~^yi) V (ci = 1 A {x\ ^ yi)) V (ci = 2 A Xi A S 2 ) 

provides sufficient information about the possible values of the erased variables X\ and 
yi to enable an accurate computation of the successor states. In contrast, rule Q does 
not enable the erasure of any variables. I 

3.2 Controllability and Reachability-Based Abstractions 

Consider an instance Pi || • • • || P„ \= □(/? of the invariant verification problem, for 
n > 1. As mentioned in the introduction, the predicate Reach(Pi) defines the reachable 
states of module Pi when the module Pi is in a completely arbitrary environment, for 
\ < i < n. However, a module may have many more reachable states when composed 
with a completely arbitrary environment, than when composed with the other modules 
of the system. To obtain more precise predicates, we consider the states of Pi that are 
reachable under the most general environment under which Pi satisfies the specification 
Up, for 1 < i < n. The idea is that, if the system has been properly designed, then the 
actual environment of Pi is a special case of this most general environment. 

An environment for a module P is a non-blocking module E composable with P. 
Given a module P and a predicate p, we denote by Envs{P) the set of all environments 
of P, and we let EnvSip{P) = {E G Envs{P) | P || P ^ Up} the set of environments 
of P under which the specification Up holds. We define 

CR{P, p) = \! E&EnvsfiP) 3(V£:\Vp) . Reach{P || E) 

with the convention that CR{P,p) = F if EnvStp(P) = 0. The predicate CR{P,p) 
defines the set of states of P that can be reached when P is composed with an environ- 
ment under which Up holds. Denote by the variables occurring in p. The following 
proposition gives some additional properties of the predicate CR{P, p). 

Proposition 1 . Given a non-blocking module P and a predicate p, the following as- 
sertions hold. 

1. There is an environment E G EnvSip{P) with Ve = Hp U Vip such that 
CR{P, p) = 3(V^\Vp) . Reach{P || E). 

2. The implications CR{P, p) — > 3(V^\Vp) . p and CR{P, p) —>■ Reach(P) hold. 

Regarding the second assertion, note that in the introduction we implicitly assumed 
C Vp^ for 1 < i < n for the sake of simplicity, while here we are only assuming 
the weaker C Vp^ . We can then formulate the verification rule: 

- M=iCR{P.,p) 

p^\\ (||,6{i.....„}v( 3W,.(P,&CR(P,,(^)))) h nCR{P,,p) l<i<n 



Pi II • • • II P„ h 



(6) 
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In the second premise of this rule, for 1 < z < n, we cannot erase variables of Pi. In 
fact, the predicate CR{Pi, (p) on the right hand side of ^ involves most of the variables 
in Pi, preventing their erasure. In the experiments described in Section^ the systems 
were composed of two modules, and rule Q performed better than rule Q, since in 
rule Q the variables could be erased in both the composing modules. In systems com- 
posed of many modules, it is conceivable that the advantage derived from using the 
stronger predicates of rule Q in all modules but one, thus possibly erasing more vari- 
ables, outweighs the disadvantage of not being able to erase variables in one of the 
modules. 

Proposition 2 . Rule Q is sound. If Pi, . . . , are non-blocking, rule Q is also 
complete: if the conclusion holds, then the premises also hold for Wi = ■ ■ ■ = Wn = 0- 

Proof. It suffices to consider the case Wi = • • • = = 0. To show that the rule 

is sound, we assume that its premises hold, and we prove by induction on fc > 0 
that, if So, si, . . . , Sfc is an initial trace of Pi || • • • || P„, then Si \= CR{Pj, (p) for all 
0 < i < k and 1 < j < n. The base case follows from the first premise of Q. For 
the induction step, assume that the assertion holds for k, and consider the assertion for 
fc -f 1 for any j, with 1 < j < n. The trace sq, si, . . . , Sfc, Sfc+i is an initial trace of 
II (ll/G{i,...,n}\j {Pj ^ v?))) Hence, we have that Sfc+i ^ CR{Pj,p), com- 

pleting the induction step. From Vip C Vp^ and from Proposition^ partH we 
have that the implication (A”=i CR{Pi, p)) — > p holds. This implication, together with 
the conclusion of the induction proof, leads to the desired result. The completeness of 
the rule follows by noticing that if Pi |1 • • • || Pn H D'F’ then by definition of CRf, p) 
we have Pi || • • • || Pn h a{CR{Pi,p) A • • • A CR{Pn,p)). I 

To compute the predicate CR{P, p) given P and p, we proceed in two steps. First, we 
compute the predicate Ctr{P, p) defining the set of states from which P is controllable 
with respect to the safety property Up. The predicate Ctr{P, p) can be computed with 
a standard controllability algorithm 

Algorithm 1 . 

Input: Module P and predicate p. 

Output: Predicate Ctr{P, p) over Vp. 

Initialization: Let P = Vi^\Vp and Uq = 3P . p. 

Repeat: For fc > 0, let Uk+i = Pfc A 3{£'p U P') . yC'p . {Tp (P' A p')). 

Until: Uk+i = Pfc. 

Return: Uk. 

The algorithm computes a sequence Pq, p 2 , ■ ■ ■ of increasingly strong predicates. 
For k > 0, predicate Uk defines the states from which it is possible to control P to 
satisfy predicate p for at least k-\-l steps; note that the implication Uk — > 3P . p holds 
for fc > 0. At each iteration fc > 0, the algorithm lets Uk+i define the set of states from 
which the environment can choose the next value for the external variables, so that for 
all choice of the controlled variables, the successor states of the transitions satisfy Uk. 
The following algorithm computes the predicate CR{P, p ) , using the previous algorithm 
as a subroutine. 
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Algorithm 2 . 

Input: Module P and predicate 
Output: Predicate CR{P, (p) over Vp. 

Initialization: Let P = V<^\Vp, and Vq = Ip A 3 P . \/Cp . [ip {Ctr{P, p) A v^)). 
Repeat: For fc > 0, let 

= 14' V 3Vp . [Ffc A Tp A 3P’ . \/C'p . {Tp ^ (a/(P, p) A t^))] . 

Until: Ffc+i = Vk. 

Return: Vk- 

For each fc > 0, the predicate Vk over Vp defines the set of states of P that can 
be reached in k or less steps when P is composed with an environment E such that 
P II FI ^ □(/?. To understand how this predicate is computed, note that the predicate 
VCp . {Ip {Ctr{P, ip) A ip)) defines the set of initial valuations for the variables 
in £p U P that are safe for the environment: if one such valuation is chosen by the 
environment, the system will start in a controllable state that satisfies p, regardless of 
the valuation for the controlled variables in Cp chosen by the module P. The itera- 
tion step follows a similar idea. If 14 defines the set of current states, then the formula 
Ki : 3Vp .{VkATp) over C'p defines the valuations for the controlled variables that can 
be chosen by P for the following state. The environment must choose a valuation for 
the variables in £p U P' that ensures that, regardless of the valuation for Cp chosen by 
the module, the successor state satisfies Ctr{P, p) A p. If Vk defines the set of current 
states, the set of such valuations for £'p U P' is defined by the formula 

K2 : 3 Vp . VC'p . {{Vk A Tp) ^ {CtrfP, p) A <^)) . 

It is then easy to see that the iteration step of Algorithmjcan be written simply as 
Vfc+i = Ki A 3 P' . K2, so that Ki constrains the next valuation of the controlled vari- 
ables, and 3 P' . K2 constrains the next valuation of the external variables. Algorithms 
QandQcan be implemented enumeratively or symbolically, and they have running time 
linear in \States{Vp U V<p)|. In the next example, we see how rule Q can enable the 
erasure of variables that could not be erased with rule 

Example 2 . Consider the verification problem Pi || P2 ^ Up, where the invariant is 
p : -'Zi A ->Z2- The modules have variables Cp. = {xi, yi, Zi} and £p. = {x2-i, Z2-i}, 
for 1 < z < 2; all the variables are boolean. Module Pi has initial predicate Ip^ : 
-•xi A ^yi A ->zi, and has transition predicate Tp^ : [x'l = Z2] A [(^xi A ~^X2) {y[ = 

yi)\ A \-^yi {z'l = zi)]. Module P2 is defined in a symmetrical fashion. Informally, 
module Pi behaves as follows. Initially, all variables are false. At each step, the new 
value for Xi is the old value of Z2- If a; 1 V 0:2 holds, then yi can change value; otherwise, 
it retains its previous value. If yi is true, then zi can change value; otherwise, it retains 
its previous value. It is easy to check that Pi || P2 ^ Up holds. 

Consider module Pi. The states where zi = T or Z2 = T are obviously not control- 
lable. The states where yi = T are also not controllable, since from these states module 
Pi can reach a state where zi=T regardless of the values of the external variables X2 
and Z2- Likewise, the states where = T or X2 = T are not controllable, since from 
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these states the module can reach a state where yi = T regardless of the values of the ex- 
ternal variables. The only controllable (and reachable) state of Pi is thus defined by the 
predicate CR{Pi, (p) : ~^xi A ^yi A ->zi A ^X2 A ->Z2- Predicate CR{P2, p) is defined in 
a symmetrical fashion. The reachability predicates are given simply by Reach(Pi) : T 
and Reach{P2) : T. 

Rule Q can be applied by taking Wi = W2 = {yi, 2/2}- In fact, the composite 
module Pi || (3 W2-{P2 & CR{P2, <^))) admits only the initial traces consisting of rep- 
etitions of the state [xi = F,yi = F, zi = F,X2 = F, Z2 = f]. This shows that the first 
premise holds; the case for the second premise is symmetrical. On the other hand, no 
variable can be successfully erased using rule f. In fact, if we erase variable 2/2, then 
the right hand side exhibits the initial trace sq, si, where sq : [a;i = F, yi = F, zi = 
F, X2 = f, Z2 = f] and si : [xi =F, yi =F, zi =F, X2 = F, z2 = 't]. This trace is possible 
because the state to : \xi = F,zi= F, X2 = F, 2/2 = T, Z2 = f] over Vp^ is reachable, and 
hence it satisfies Reach{P2), and agrees with sq on the shared variables. The trace is 
then a consequence of the transition from fo tofi : [a;i = F, zi = F, a;2 = F, 2/2 = T, Z2 = t] 
in P2- A similar argument shows that it is not possible to erase the variable X2- I 



4 Implementation of the Verification Rules 

We have implemented the algorithms described in this paper in the verification tool 
Mocha Q. Mocha is an interactive verification environment and it enables, among 
other things, the verification of invariants using both enumerative and symbolic tech- 
niques; for the latter, it relies on the BDD package and image computation engine pro- 
vided by VIS Q, which we used in our implementation. 

One important technique we use in the implementation of the rules is that, instead 
of computing the abstract modules explicitly, we compute them implicitly. The idea is 
as follows: suppose we are computing the reachable states of (3 Wp.P) || (3 Wq.Q). 
A straight-forward algorithm would be to first compute the two abstract modules, and 
then compute the reachable states of their composition. This is very inefficient in terms 
of the usage of space. Transition relations are usually presented as a list of conjuncts 
rather than as a single, larger conjunct. The explicit computation of the abstract mod- 
ules would imply conjoining all the transition relations and building a monolithic one: 
if represented as a BDD, such a monolithic conjunct would often be prohibitively large. 
Instead, we quantify away the erased variables of the abstract modules only when nec- 
essary, as for example in the computation of the reachable states. For instance, we use 
the following symbolic algorithm to compute the reachable states of the parallel com- 
position of two abstract modules: 

Algorithm 3 . 

Input: Modules P and Q, and variables Wp C Vp\Cq and Wq C Vg\Cp. 

Output: Reach(( 3 Wp.P) || (3Wq.Q))- 

Initialization: Let Uq = 3(W’p U Wq) . (Ip A Iq). 

Repeat For fc > 0, let = C/fc V 3(Vp U Vq U Wj, U Wq) . (Uk ATp A Tq). 
Until Uk+i = Uk. 

Return: Uk. 
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In the body of the loop, we rely on the early quantification algorithm in VIS to keep the 
intermediate BDDs small. With this scheme, a monolithic transition relation is never 
built. In particular, our implementation represents abstract modules as pairs consisting 
of a concrete module and of a list of variables that have been erased from it; such pairs 
are called extended modules. 

In order to experiment with the verification rules proposed in this paper, we im- 
plemented a simple script language, called si, built on top of MoCHA and based on 
the Tcl/Tk API. The algorithms and methodologies described in this paper provide the 
theoretical basis of the commands provided by si. The verification rules proposed In 
this paper can be implemented as si scripts, and the language si provides invaluable 
flexibility for experimenting with alternative forms of the rules. An example of script is 
the following, which verifies the correctness of the demarcation protocol using rule Q 
(the demarcation protocol is described in Section^J. 



read_module 

sl_em 

sl_reach 

sl_reach 

sl_restrict 

sl_erase 

sl_reach 

sl_restrict 

sl_erase 

sl_compose 
si checkinv 



demarc . rm 
P Q Spec 

phi em_Spec s 
rp em_P s 

Prest rp em_P 

Pabs Prest P/xw P/xr P/reql P/grantl P/req2 \ 
P/grant2 P/xlupdl P/xlupd2 P/busy 

rq em_Q s 

Qrest rq em_Q 

Qabs Qrest Q/xw Q/xr Q/reql Q/grantl Q/req2 \ 
Q/grant2 Q/xlupdl Q/xlupd2 Q/busy 
Rabs Pabs Qabs 
Rabs phi s 



The command read_module parses the file demarc . rm, containing the declarations 
of the modules P and Q, composing the protocol, and Spec, whose reachable states 
constitute the invariant. The command si _em P Q Spec builds the extended mod- 
ules em_P, em_Q, and em_Spec from P, Q, and Spec; of course, these extended mod- 
ules have empty sets of erased variables. The command sl_reach phi em_Spec 
s computes the predicate phi = Reach{e.xa_S^e.c) . The parameter s of this and 
other commands means “silent”, i.e., no diagnostic information is printed. The rest 
of the script checks that em_P || em_Q \= Dphi using rule 0. First, the commands 
sl_reach and sl_restrict are used to compute rp = Reach{em_P) and Prest = 
(em_P & rp). Then, the command sl_erase erases a specified list of variables from 
Prest, producing the extended module Pabs. As discussed earlier, the command 
sl_erase performs no actual computation, but simply adds the specified variables 
to the list of erased variables. The extended module Qabs is constructed in an anal- 
ogous fashion. Finally, the command sl_compose composes Pabs and Qabs into 
a single extended module Rabs, which is checked against the specification Dphi by 
command sl_checkinv. 

Apart from these commands, we also have implemented commands Including 
sl_wcontr and sl_contrreach, which together compute the predicate CR{P, (p) 
given a module P and a predicate ip. 
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5 Experimental Results 

To demonstrate the effectiveness of the proposed approach to modular verification, we 
compare the time and memory requirements of global state-space exploration with those 
of rule y and rule Q. We do not compare our approach with other modular verification 
approaches, since these approaches involve user intervention for the construction of 
the environments. By manually constructing the environments or the abstractions it is 
possible to improve on our results. 

We consider three examples: a demarcation protocol used in distributed databases, 
a token-ring arbiter, and a sliding- window protocol for data communication. All exper- 
iments have been run on a 233 MHz Pentium® II PC with 128MB memory running 
Linux. We report the memory usage by giving the maximum number of BDD nodes 
used in any fixpoint computation or predicate; this is essentially the maximum number 
of BDD nodes used at any single time during verification. We also report the total CPU 
time; this time does not include swap activity (swap activity was in any case very lim- 
ited for all examples reported). The automatic variable reordering heuristics of MoCHA 
were enabled during the experiments. We remark that differences in time or memory 
usage of up to a factor of 2 are not signihcant, since they can easily be produced by a 
variation in the automatic choice of variable ordering. 



5.1 Demarcation Protocol 

The demarcation protocol is a distributed protocol aimed at maintaining numerical con- 
straints between data residing in distributed copies of a database, while minimizing the 
communication requirements j^]. We consider an instance of the protocol that ensures 
that two databases, residing at sites 1 and 2, never sell more than the maximum avail- 
able number of seats m aboard a plane. The variables xi and X 2 indicate the number 
of seats that have been sold at sites 1 and 2. Each site can both sell seats, and receive 
seats returned due to cancellations. In order to minimize the communication between 
two sites, each site i = 1,2 maintains a variable xk indicating the maximum number of 
seats it can sell autonomously. If a site wishes to sell more seats than this limit allows, 
the site can send a request to the other site for more seats. Depending on the number of 
unsold seats, the other site has the option of rejecting the request, or of granting it in 
part or in full. 

We model each site z = 1, 2 by a module Pp, the specification is □[(a;i < xli) A 
{x 2 < XI 2 ) A {xli + XI 2 < m)]. Each of Pi and P 2 controls 20 variables, of which 8 
are used for communication with the other module or appear in the invariant, and 12 
are internal. Rule ^ enable the erasure of 9 of these 12 variables in each of Pi and P 2 ; 
all of these variables are in the cone of influence of the specification. The table below 
compares the time and space requirements of global state space exploration with those 
of rules 0 and for various values of m. To check the robustness of rule against 
changes in the system model, we also wrote an alternative, somewhat more complex 
model for the demarcation protocol. For m = 4, the verification of the alternative model 
required 136156 BDD nodes and 2009 seconds with the global approach, and 18720 
BDD nodes and 211 seconds with rule Q. 
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Global 


Rule B 


Rule B 


m 


BDD nodes 


seconds 


BDD nodes 


seconds 


BDD nodes 


seconds 


4 


20881 


97 


2847 


25 


8695 


75 


6 


64345 


439 


3338 


40 


20953 


218 


8 


179364 


1671 


8367 


81 


43915 


517 


10 


633102 


8707 


10475 


112 


65410 


1878 


12 


space-out 


— 


15923 


174 


93295 


1980 


14 


space-out 


— 


22205 


300 


145676 


3913 



5.2 Token Ring Arbiter 



The second example is a synchronous token-ring arbiter. It involves a ring of m stations, 
around which a single token is passed unidirectionally through four-phase handshake 
protocols. The invariant states that there is at most one token present in the stations. A 
straightforward invariant would Involve nearly all the variables in the system, and be 
rather tedious to write. Hence, we introduce observer modules that observe the number 
of tokens in the system. To enable the decomposition of the ring into two modules Pi 
and P 2 representing the half-rings, we introduce two such observers, one for each half. 
We were able to erase all the variables used for the internal communications and state 
of the half-rings, even though these variables clearly belong to the cone of Influence 
of the invariant. Each half ring controls 1 -|- 5m/2 variables; of these, all but 4 could 
be erased. Below we compare the performance of global state-space exploration and of 
rules B and Q. 





Global 


Rule B 


Rule B 


m 


BDD nodes 


seconds 


BDD nodes 


seconds 


BDD nodes 


seconds 


16 


657 


8 


979 


7 


608 


8 


20 


466 


10 


1619 


9 


308 


12 


24 


1138 


22 


1297 


26 


473 


20 


28 


1300 


39 


3486 


24 


519 


29 


32 


1187 


110 


3190 


143 


772 


143 


36 


1323 


611 


8230 


242 


1346 


195 



5.3 Sliding Window Protocol 

Our last example is a classical sliding windows protocol from ' ■ | , whose encoding is 
taken from the MoCHA distribution. The protocol uses send and receive windows of 
size m, and it is composed of a sender module and a receiver module. Our Invariant 
states essentially that the windows are not over-run by the protocols. In both the sender 
and the receiver, roughly half of the variables not used for communication with the other 
module can be erased when applying our modular approach. The comparison between 
the performance of global state-space exploration and rules Q and Q is presented 
below. 
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Global 


Rule B 


Rule Q 


m 


BDD nodes 


seconds 


BDD nodes 


seconds 


BDD nodes 


seconds 


3 


8992 


35 


776 


12 


2443 


33 


4 


11831 


99 


1723 


41 


3740 


42 


5 


36359 


1911 


3843 


84 


8503 


105 


6 


94684 


4994 


7048 


156 


18316 


500 


7 


95667 


2630 


8282 


513 


22289 


771 


8 


space-out 


— 


26611 


1582 


47605 


6245 



5.4 Discussion 

The experimental results indicate that the proposed approach leads to a considerable 
reduction in the time and space requirements for the verification process. 

In the examples we considered, we identified which variables could be erased in 
the application of rule by a simple trial-and-error process. We can automate this 
process by providing, for each module P, a list {xi, . . . , Xk} C Cp of variables of P 
that are not part of the specification, and that are not accessed by other modules. We 
list first the variables that are more likely to be successfully erased: those that are more 
“internal” to the module, and that interact with fewer other variables. We then apply 
rule Q successively with the sets of erased variables {xi, . . Xk}, {a;i, ■ ■ ■ , Xk-i\, 
{xi, . . .,a;fc_ 2 }, ■■■, until the rule succeeds. This process is efficient in practice. In 
fact, the more variables are erased, the smaller is the state space of the abstract modules: 
hence if too many variables are erased, the rule will fail in a fraction of the time required 
for a successful proof. 

In the three examples considered, the stronger reachability predicates used to con- 
struct the abstract modules in rule Q did not enable the erasure of any additional vari- 
able. In the demarcation protocol and in the sliding window protocol examples, the 
ability of rule Q to erase variables on both sides of the parallel composition opera- 
tor led to superior results compared with rule Q. In the token ring arbiter example, 
module Pi has many more reachable states in a completely general environment than 
in an environment compatible with the specification, for i= 1,2. Hence, the predicates 
Reach(Pi) are much weaker (and take more time and space to compute) than the pred- 
icates CR{Pi, ip), for i = 1,2. For this reason, rule Q performs better than rule ^ in 
this example. 

If the premise of rule Q does not hold, we can construct automatically a trace over 
the variables in Ur=i(^fAWi)> leading to a state that does not satisfy p. This trace is 
a trace over a partial set of system variables, and it does not necessarily correspond to a 
counterexample to the conclusion. If the first premise of rule B does not hold, then us- 
ing facts about controllability we can reconstruct automatically a counterexample trace 
over the complete set of system variables. On the other hand, if the second premise 
of rule does not hold for some 1 < i < n, then we obtain a trace over a partial 
set of system variables that leads to a state ti where the predicate CR{Pi, p) does not 
hold. From ti, using facts about controllability we can again construct a trace over the 
complete set of system variables that leads to a state where p does not hold. When con- 
fronted with a trace over a partial set of variables, we have taken the nmve approach of 
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selectively un-erasing some variables in the premises, until either the premises became 
valid, or the design error could be identified. 
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Abstract. We present a new heuristic for on-the-fly enumerative in- 
variant verification. The heuristic is based on a construct for temporal 
scaling, called next, that compresses a sequence of transitions leading to 
a given target set into a single metatransition. First, we give an on-the- 
fly algorithm to search a process expression built using the constructs 
of hiding, parallel composition, and temporal scaling. Second, we show 
that as long the target set Q of transitions includes all transitions that 
access variables shared with the environment, the process next Q for P 
and P are equivalent according to the weak-simulation equivalence. As a 
result, to search the product of given processes, we can cluster processes 
into groups with as little communication among them as possible, and 
compose the groups only after applying appropriate hiding and temporal 
scaling operators. Applying this process recursively gives an expression 
that has multiple nested applications of next, and has potentially much 
fewer states than the original product. We report on an implementation, 
and show significant reductions for a tree-structured parity computer 
and a ring-structured leader-election protocol. 



1 Introduction 

Model checking has proved to be a useful technique for automatic de- 

bugging of high-level designs of hardware and protocols. Model checking requires 
search of the global state-space of the design, and since the number of global 
states increases exponentially with the size of the description, model checking 
tools must employ a variety of heuristics to battle this so-called state explosion 
problem. In this paper, we present a new heuristic for enumerative verification 
of invariant requirements. Before we describe our approach, let us briefly review 
two techniques, on-the-fly search of reachable state-space, as implemented in 
tools such as Spin and Murt/? and reduction techniques based on pro- 
cess equivalences, as implemented in tools such as Concurrency workbench 
and CADP 
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In on-the-fly model checking, the system is described as a collection of com- 
municating processes. The global state-transition graph of the system is explored 
on demand starting from initial states using a systematic search algorithm. Only 
the states, and not the transitions, are stored in a global table, and as soon as 
a violation of the invariant is encountered, a counter-example is reported to the 
user. A variety of heuristics have been sho'wn to be effective in restricting the 
search to a subset of the global state-space. Sample heuristics are reductions 
using symmetries and partial orders 

In the so-called compositional approaches, the system is described using a 
richer language (e.g. CCS {]) that supports operators such as parallel compo- 
sition and hiding. Compositional techniques rely on the definition of a process 
equivalence (e.g. "weak bisimulation) and algorithms to reduce a process "with 
respect to this equivalence Starting "with a complex expression, 

subexpressions can then be replaced by equivalent smaller ones in a bottom-up 
fashion. The order in "which processes are composed reflects the connectivity, 
and a judicious use of hiding allows greater reductions by making more transi- 
tions internal at each step. For well-structured designs such as trees and rings, 
this approach can yield significant reductions in principle. However, it does not 
guarantee early detection of violations which is extremely important in typi- 
cal applications of model checking. Furthermore, processing of subexpressions 
can be expensive. First, minimization with respect to an equivalence is typi- 
cally 0{n log n) or O(n^), where n is the number of states in the unreduced 
graph. While minimization can be replaced by less expensive heuristic reduction 
algorithms, as far as we know, all the tools explicitly build the state-transition 
graphs for the subexpressions. Second, a subexpression, when considered on its 
own, has lot more states than when considered in the context of the whole ex- 
pression. Heuristic approaches to abstract the context by assumptions during 
reduction have been proposed but offer only a partial remedy to this prob- 
lem. 

In this paper, we propose an on-the-fly search algorithm that takes into ac- 
count the hierarchical structure of architecture of the system. The reduction 
performed by the algorithm on subexpressions compresses internal transitions, 
and preserves the weak-simulation equivalence. While the basic reduction strat- 
egy is simple and well known, the novelty lies in applying it on demand in a 
hierarchical manner. 

We develop our search algorithm in the more general setting of explicitly 
structured transition relations. Our process model, in addition to the standard 
operations of hiding and parallel composition, employs a construct for hierar- 
chically structuring transition relations. For a process P and a set & of target 
transitions, the process next O for P is obtained by compressing a sequence of 
transitions of P ending in a 0-transition into a single metatransition. The next 
operator is a temporal scaling operator inspired by notions of multiform time in 
synchronous languages QQ, and was introduced in the language reactive mod- 
ules Q. The parallel composition and temporal scaling can be mixed freely giving 
complex processes. Note that applications of next can cause significant reductions 
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in the global state-space by ruling out transient states. For instance, the expres- 
sion (next O for P|| next E for Q) can have much fewer reachable states than 
P\\Q. to explore the state-space of P\\Q, at every step either P or Q is allowed 
to take a step, while to explore the expression (next 0 for P || next E for Q), once 
P is chosen, it is executed until it takes a ©-transition, and once Q is scheduled, 
it is executed until it takes a i7-transition. 

The first challenge is to design an on-the-fly algorithm to search a process 
expression built using parallel composition and temporal scaling. Such an al- 
gorithm is presented in Section 3. It generates global states only on demand, 
and can do early reporting of violations of invariants. To avoid recomputation, 
it stores in the global hash-table, along with the global states, transient states 
generated during processing of next operator. It is guaranteed to visit every 
reachable state of the given expression, and visits no more, and typically much 
less, than the reachable states of the flattened expression obtained by remov- 
ing the applications of next. The running time is linear in the number of states 
(more precisely, the transitions) visited by the algorithm, and there is basically 
no overhead in applying the reduction. 

Then, we proceed to identify restriction under which the answer to the in- 
variant verification problem is preserved by the application of next. Along the 
lines of well known results concerning compressing internal transitions (cf. Q), 
we establish that if O includes those transitions that read or write shared vari- 
ables then the processes P and next 0 for P are equivalent according to the 
weak- simulation relation. Since weak-simulation is shown to be a congruence 
with respect to all the operators in our language, we can substitute freely and 
repeatedly any subexpression with next applied to it. Thus, given a problem to 
search the composition of a collection of processes, we can heuristically build an 
expression that clusters the given processes to limit the shared variables across 
clusters, and apply hiding and temporal scaling to individual clusters before 
composing them. This process is applied recursively to maximize the reduction. 
The resulting expression is then searched using the algorithm of Section 3. 

The heuristic is demonstrated on a couple of benchmark examples using a 
prototype implementation. The first example concerns a tree-structured system 
which computes the parity of inputs presented at the leaves. This example is ide- 
ally suited for our reduction: while the number of reachable states of the global 
system increases exponentially with the size of the tree, the number of reachable 
states of the reduced search increases almost linearly. The second example con- 
cerns a standard leader election algorithm in a ring network. While the reduction 
is less dramatic, it is still significant for both space and time. The experimental 
results also support our analysis that the running time is proportional to the 
number of states visited. 

The rest of the paper is organized as follows. Section 2 presents our process 
model. Section 3 gives the search algorithm for process expressions employing 
next and parallel composition. Section 4 presents the heuristic application of next 
and justifies its correctness using the theory of simulation equivalences. Section 5 
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gives experimental results. Finally, in Section 6, 'we conclude "with comparison 
■with other heuristics. 



2 Process Model 

We start with the definition of processes. Our process model uses interleaving se- 
mantics, and read-shared exclusive-write variables. The model is a simplification 
of reactive modules Q. 

Given a set X of typed variables, a state over X is a function mapping 
variables to their values. For a state s, define s\v/x] to be the state obtained 
from s by replacing the value of x by v. 

A process is defined by the set of its variables, rules for initializing the vari- 
ables, and rules for updating the variables. The variables of a process P are 
partitioned into three classes: private variables that cannot be read or written 
by other processes, interface variables that are written only by P, but can be 
read by other processes, and external variables that can only be read by P, and 
are written by other processes. Thus, interface and external variables are used 
for communication, and are called observable variables. The process controls its 
private and interface variables, and its environment controls the external vari- 
ables. Once the variables of a process are specified, the state space of the process 
is determined. A state is also partitioned into different components as the vari- 
ables are (e.g., controlled state and external state). The initialization specifies 
initial controlled states, and the transition relation specifies how to change the 
controlled state as a function of the current state. 

Definition 1. A process P is a tuple (A, I, T) where 

— X = {Xp, Xi, Xe) is the (typed) variable declaration. Xp, Xi, X^ represent 
the sets of private variables, interface variables and external variables re- 
spectively. Define the controlled variables Xc = Xp U Xi and the observable 
variables Xq = XiU Xe,' 

— Qc is the set o/ controlled states over Xc and Qe is the set o/ external states 
over Xe. Q = Qc X Qe is the set of states. We also define Qo to be the set 
o/ observable states over Xq; 

— IQ Qc is the set of initial states; 

— r C Qe X Qe X Qc is the transition relation. We use the notation q — ^ q' 

for {q, e, q') GT. ■ 

A state q can be updated in two ways. If the process makes its move, it changes 
its controlled state according to the transition relation. If the environment makes 
its move, it can change the external state to any arbitrary value. 

Definition 2. Let P = {{Xp, Xi, Xe), I,T) be a process, and q, q' be states. 
Then q' is a successor of q, written q q' , if 

— q[Xe] = q'[Xe] and q[Xc] q'[Xc]; or 

— q[Xc] = q'[Xc]. 
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An execution of P is a sequence of states in Q* , q^qi • ■ • qn, where qo[Xc] G I 
and qi for 0 < i < n. 

The reachable set of P, denoted TZ{P), contains states q such that there is 
an execution ending in q. ■ 

In order to support structured descriptions, we would like to build complex pro- 
cesses from simpler ones. Three constructs, hide H in P, P\\P' and next O for P 
for building new processes are defined in our model as follows. The hide operator 
makes interface variables inaccessible to other processes. 

Definition 3. Let P = {{Xp, Xi, X^), I,T) be a process and H C Xi. Define 
the process hide H \n P to be ((Xp U JL, Xi\ H, X^), I,T). ■ 

The parallel composition operator allows to combine two processes into a single 
one. The composition is defined only when the controlled variables of the two 
processes are disjoint. Intuitively, a step of P\\Q is taken by either P or Q but 
not both. 



Definition 4. Let P' = ((X'p, X[, X'fi),T, T') and P" = ((AT;, X", X"), T") 

be processes where X' n X" = 0. The composition P of P' and P" , denoted 
P'\\P" , is defined as follows. 



- Xp = x; u x;,- 

- Xi = X' U X"; 

- Xe = (X' U X") \ X,; 

- I = r X L"; 

- T C Qc X Qe X Qc where {q, e,r) G T if 

• <l{K] r[X'] in T' and q[X”] = r[X"]; or 

. r[X"] ^n T" and g[X'] = r[X']. 



Finally, we introduce the next operator. The next operator is a temporal con- 
struct where new transitions are created by grouping a number of lower-level 
transitions. A transition in next 0 for P is a sequence of transitions in P where 
the last transition is in 0. The external state is assumed to stay fixed during 
the sequence. By applying the next operator, a sequence of small steps becomes 
a big step. The next operator is inspired by the notions of multi-form time in 
synchronous languages ^3, and was introduced in the language reactive mod- 
ules 

Definition 5. Let P = (X, /, T) be a process and 0 a subset of T. Define 
the process next 0 for P to be (X, /, T') where {q, e, r) G T' if there are states 
qo = q, qi, ■ ■ . , qn = r in Qc such that {qi, e, qi+i) G T\0 for 0 < i < n — 1 and 
{qn-i,e,qn) G 0. ■ 
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3 Search Algorithm 

In this section, 'we 'will develop an on-the-fly search algorithm to explore reach- 
able states of processes formed using the applications of parallel composition, 
hiding, and next. The applications of next nested with parallel composition lead 
to hierarchically structured transitions. The search algorithm proceeds recur- 
sively in the structure of the process. In order to present the algorithm, we 
distinguish atomic processes from composite ones. A process is called a compos- 
ite process if it uses composition, hide or next operator. Otherwise, it is called 
an atomic process. 

Definition 6. A process expression is defined recursively as follows. 

M = P \ M\\M I hide H \n M \ next 0 for M 
where P is an atomic process, PI is a set of variables and O is a set of transitions. 



We will assume that a suitable syntax for atomic processes, such as guarded 
commands, has been chosen. We also assume that any atomic process appears in 
a process expression at most once. The algorithm uses the following pre-defined 
functions: 

— The function GetInitialStates(M ) returns the set of initial states of any 
process expression M. 

— For an atomic process P and a state q in P, AtomicGetNext(P , q) returns 
the set of successors of 9 in P. 

— The function BelongsTo(s, t, 0) tests whether the transition from state s 
to state t is in 0 . 

Since initial states are preserved by hide and next constructs, they can be com- 
puted by ignoring these operators. The function AtomicGetNext(P , q) is used 
to handle the basic case and is straightforward to implement as well. 

Given a process expression, the algorithm of Figure 1 traverses reachable 
states in a depth-first manner. Since initial states are reachable, it calls the 
depth-first search subroutine on initial states iteratively. The algorithm uses a 
global hash table to store states. The depth-first search routine then uses the key 
function GetNext{M, s) to compute the set of successors of s in process M. The 
function GetNext{M, s) proceeds in a top-down fashion. Given a global state 
s, GetNext{M, s) will return global states that are unvisited successors to s. It 
uses the pre-defined function AtomicGetN ext{P, s) for the atomic case. For the 
composition, it computes the successors of each component and returns their 
union. When it encounters a process defined by next operator, it generates the 
successors of the current state and checks the transition. If a target transition is 
found, the function adds new states to its returned result. Otherwise, it generates 
the successors of the new state repeatedly until a target transition is found. 

To illustrate how the algorithm works, consider the processes P and Q shown 
in figure Q Let P' and Q' denote next 0 for P and next S for Q respectively. 
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1 proc Main(M) = 

2 tbl := NewHashTable{)\ 

3 foreach s £ GetInitialStates{M) do 

4 if s ^ 16/ then Insert{tbl, s); DFS{M, s); fi 

5 od . 

6 proc DFS{M, s) = 

7 foreach s' G GetNext{M , s) do DFS{M, s') od . 

8 funct GetNext(M , s) = 

9 if M = P 

10 then result := 0; 

11 foreach s' £ AtomicGetNext{P, s[P]) dp 

12 if s[s' / X p] ^ tbl 

13 then lnsert(result,s\s' !Xp\)\ 

14 Insert {tbl, s[s' /Xp]) 

15 fl 

16 od ; 

17 return result 

18 elsif M = hide H in M' 

19 then return GetNextiM' , s) 

20 elsif M = M 1 IIM 2 

21 then return GetNext{M\, s) U GetNext{M 2 , s); 

22 elsif M = next O for M' 

23 then result := 0; 

24 foreach s' £ GetNext{M' , s) dp 

25 if BelongsTo{s, s' ,0) 

26 then Insert {result, s') 

27 else Insert {result, GetN ext{M , s')) 

28 fl; 

29 od 

30 return result 

31 fl. 



Fig. 1. Search Algorithm 



where 0 and S consist of thick transitions (i.e. 0 = {(0, 1), (3, 4)} and S = 
{{B, C)}). The product P\\Q is also shown in the figure, and has 15 states. The 
product P'WQ' has much fewer states, namely, 6, shown as filled circles. This 
illustrates that the application of next rules out many transient states, and can 
potentially save space. The challenge is to explore the expression in a top-down 
manner computing metatransitions only on demand. 

Suppose the algorithm is exploring reachable states of P'\\Q'. First, it visits 
the initial state OA. After the first invocation of GetNext{P'\\Q' , OA), it returns 
the states lA, 4A and OC and the hash table contains these states as well as 
light gray states such as 2A and 3A. It is crucial that the transient states such 
as 2A are stored in the hash-table to avoid recomputation. 

Next, the algorithm searches from lA. It ignores successor state 2A since it 
is in the hash table, returns state 1C and puts state IB in the hash table. Then, 
it tries to explore state 4A. It in turn returns state 4C and puts state 4B in the 
table. When the algorithm processes the state OC, it adds states 2C and 3C to 
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Fig. 2. Traversal Example 



the hash table. However, since states 1C and 4C have been visited, it will ignore 
them. At the end, the algorithm returns black states, puts shaded states in the 
hash table. Note that the algorithm never visits the states 2B and 3B, and thus, 
does less work than required to search P||Q- 

To analyze the algorithm, given a process expression M, define Strip(M) to 
be the process expression obtained by removing all hide and next operators in 
M . More formally, we have 

Definition 7. Let M he a process expression. Define Strip(M) recursively as 
follows. 



Strip{P) = P 

Strip{W\de H in M) = Strip{M) 

Strip{next O for M) = Strip{M) 

Strip{Mi\\M 2 ) = Strip{Mi)\\Strip{M 2 ) 



where P is an atomic process, H is a set of variables and 0 is a set of transitions. 

For any process expression M, consider two reachable sets TZ{M) and 
TZ{Strip{M)) . Clearly, for each state s G TZ{M), s G TZ{Strip{M)) because 
Strip{M) contains all transitions of atomic processes and hence each transition 
in M is a sequence of transitions in Strip{M). On the other hand, if M contains 
the next construct, some of the intermediate states may be reachable in Strip{M) 
but not M. Hence TZ{M) and TZ{Strip{M)) are the two extremes of the state 
spaces one can hope to search. Since we are interested in checking invariants 
of the process, we would like the algorithm to visit all reachable states of M. 
Besides, the number of states visited by the algorithm shouldn’t exceed those of 
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Strip(M). In figure^ one can see that TZ(P'\\Q'), tbl and TZ{Strip{P' \\Q')) are 
black states, shaded states and all states respectively. 

The following theorem thus shows the correctness and the space requirements 
of our algorithm. 



Theorem 1. Let M be an arbitrary proeess expression. Then at the end of the 
proeedure Main{M), 

- n{M) C tbl; 

— tbl C TZ{Strip{M)) . 

To prove theorem Q we begin by defining an auxiliary transition relation pa- 
rameterized by process expressions. 



Definition 8. Let M be a proeess expression, s, s' be states of M , and N be a 
subexpression of M. Define s — >n s' as follows. 

s[X^ \ xP] = s'[X^ \ X^] s[Xf ] "H’ s'[XP] e tp 



*p s 



*Mi s 



^M2 s 



*Mi\\M 2 S 



^Mi\\M 2 S 



>M S 



^hide H \n M S 






six. 



s' s'iXf'] G 0 



^NS" s[Xf^ 



next O for N ^ 



S"[X ^]^0 S" ^next e for iV s' 



^next O for N ^ 



Intuitively, s — s' denotes the state changes from s to s' by taking a transition 
of the subexpression N. 

Definition 9. Let M be a process expression, s, s' G , N be a subexpression 
of M, and s — s'. Define Expand(s — >n s') to be the set of paths 
{so = s — >Pg Si • • • s„_i — >p„_i Sn = s'l 

Si >p. Si+i appears at the leaves of a derivation for s — s'} 



Intuitively, Expand(s — s') contains paths of atomic steps from s to s'. 



Lemma 1. Let M be a process expression, N be a subexpression of M , t,t' be 
states of XI , and tbl be the content of the table before GetNext{N, t) is invoked. 
Ift — t' , then 



— t' G GetNext{N,t); or 

— For all paths Sq = t — >Pg si • • -Sn-i — 
there is an i, 0 < i < n such that si G tbl. 






t'), 



p„_i Sn G Expandft 
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The above lemma is used to establish that if t — t' then t' is added to the 
hash-table eventually, and allows us to conclude that the algorithm visits all the 
reachable states of the input expression. 

Since the hash table is used, each state in thl is processed precisely once. The 
cost of processing a state is proportional to its outdegree, and this gives a bound 
on the running time of the algorithm. Thus, the saving in space comes at no 
extra overhead in time. 

It is straightforward to modify the search algorithm to check invariants of 
process expressions. However, it should be noted that our algorithm cannot be 
used to check path properties. For instance, in the example of Figure H the 
global product P'\\Q' has a transition from lA to 4 A, but this transition will 
not be discovered by the algorithm. 



4 Applying Next as a Heuristic 

Suppose we wish to check an invariant of the process expression M = P\\Q. 
Can we find transition sets 0 and E, and search instead, the process expression 
M' — next 0 for P II next E ^or Q. As seen already, searching M' can be more 
efficient than searching M, and we can use the algorithm from previous section. 
In this section, we would like to find conditions under which searching M' suffices 
to solve the original problem. 

Notice that application of next compresses a sequence of transitions into a 
single transition. Intuitively, as long as the compressed transitions are local, and 
do not access shared variables, such a transformation should be transparent to 
the remaining processes. The fact that sequences of invisible transitions can 
be compressed preserving weak equivalences is well known in theory and tools 
based on standard process algebras (see, for instance, Q). We adopt this concept 
to our framework in the sequel. In particular, we show that under appropriate 
restrictions, next 0 for P is equivalent to P under the definition of Milner’s weak- 
simulation equivalence. This allows us, then, to apply next to subexpressions 
repeatedly in a recursive manner. 

We start with the definition of observable transition. If a transition doesn’t 
change the values of interface variables, it is called unobservable. From other pro- 
cesses’ point of view, unobservable transitions are not interesting. This motivates 
the following definition of observable transition relation. 

Definition 10. Let P — {{Xp, Xi, Ag), I, T) be a process, q, q' G Qc and e G Qe. 
Then q -^w q' is an observable transition if there are q^ = q, q\, . . . , qn = q' & 
Qc such that 



- for all 0 < i < n. qi[Xi] = qo[Xi\; 

— for all 0 < i < n. qi — > qi+i . ■ 



Now we define the simulation equivalence. 



108 Rajeev Alur and Bow- Yaw Wang 



Definition 11 . Let P = {{Xp, Xi, Xe), I,T) and P' = {{X'p, Xi, Xe), I' ,T') be 
two processes, q G Qc, and q' G Q'^. A (weak) simulation relation :< Q Qc x Qc 
satisfies 

q q' implies q[Xi] = q'[Xi] and 

for all r G Qc, for all e € Qe, if q — ^ r then there exists r' G Q'^ 
such that q -^w and r r . 

P is (weakly) simulated by P' if there is a simulation A such that for all q G I, 
there exists q' G I’ with q q' . P = P' if P P' and P' P. ■ 

Intuitively, if two processes are simulated by each other, one can perform the 
other’s visible behaviors and vice versa. More specifically, if one is able to change 
its interface variables under certain environment, the other is able to do the same. 
Therefore, if an observable state is reachable for one process, it is reachable in 
the other too. Observe that if P and Q are simulation-equivalent, then to check 
invariant concerning observable states of P, it suffices to check that invariant of 
Q. Now we proceed to establish simulation-equivalence between a process and 
its next-abstraction provided the compressed transitions do not access shared 
variables. 

Definition 12 . Let P = {{Xp, Xi, Xe), I,T) be a process, q,q' G Qc- Then 
{q,e,q') GT is called a write-visible transition if q[Xi] q'[Xi\. {q,e,q') GT is 
called a read-visible transition if there exists e' G Qe, {q, e', q') ^ T. 

A transition in T is called visible if it is write-visible or read-visible. The set 
of visible transitions in T is denoted by Ty. ■ 

The next technical lemma is needed when we prove the theorem. 

Lemma 2 . Let P = {X, I, T) be a process and Ty C 0 C T. Define the relation 
S C Qc X Qc X Qe as follows. 

S = { {q, q', e) | 3qo, ..., qn.qo = g' A = g A VO < z < n.{qi, e, qi+i) GT\0 }. 
Then for any q G 'R{P), there exists q' G 7Z{next 0 for P) with {q, q' , q[Xe\) G S. 

Theorem 2 . Let P = {X, I, T) be a process and Ty G_ 0 G_ T. Then 
P = next 0 for P. 

Given a process P, we now define its reduced version NEXT P to be next Ty for P. 
By theorem I P ~ NEXT P. To be able to replace a process subexpression by 
application of NEXT freely and repeatedly, we must establish that the simula- 
tion equivalence is a congruence for the operators in our language: 

Theorem 3. Let P, P' be processes and P<P' . Then 

- P\\Q P P'WQ for any Q; 

- hide H \r\ P hide H in P' ; 

- NEXT P A NEXT P' . 
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Using the search algorithm shown in Section one can check invariants tp on 
observable variables more efficiently as follows. Consider any process expression 
M, we construct a new process M' by substituting subexpressions if in M by 
NEXT E. This process can be applied repeatedly. Then every observable state 
of M will be visited by M ain{M') . Thus, invariant verification of M reduces to 
the invariant verification of M' . 

Consider a process expression M = Mi\\ ■ ■ ■ |jM„ where each Mi is an atomic 
process P. We want to construct in a heuristic fashion an expression M' such 
that M' involves applications of hide and NEXT to subexpressions of M with 
Strip(M') = M . By the previous sections, any substitution will yield the same 
answer but the effectiveness of reduction may differ by cases. How to find a 
suitable partition of M to apply this technique becomes an interesting problem 
on its own. 

In principle, one would like to divide the system into parts so that the com- 
munication between any two parts is minimal. When a system is built with 
certain interconnection structure (like trees, rings, or grids etc), these structures 
should be exploited in verification. For instance, one can reduce the number of 
states by applying the next construct to subtrees in a tree-like structure. One 
can use the technique recursively on each subtrees and obtain even more efficient 
result. Note that hiding interface variables whenever possible is crucial since our 
reduction cannot ignore "write- visible transitions. 

5 Implementation and Experiments 

We report two case-studies to test our theory. In our experiments, we use a syntax 
similar to Mocha to specify modules The experiments were done using a 
prototype implementation in O’Caml. Details of the examples are available to 
the readers at http://www.cis.upenn.edu/~bywang/concur99.html. 

The first example models a parity-computer with a binary tree structure. 
The system consists of several Client modules as leaves and Join modules as 
nodes. The interconnection between these modules and Root module is shown in 
FigureHfor 4-client configuration. 

Instead of searching 

Root II Join II JoinO || Joint || ClientOO || ClientOI || ClientIO || Clientll 

we can naturally cluster modules as shown in Figure^ The expression we search 
is 



Root II NEXT hide [ Join || 



NEXT hide (JoinO || ClientOO || ClientOI) 
NEXT hide (Joint || ClientIO || Clientll) 



For readability the argument variables to hide are not shown above, but should be 
obvious from context: only the variables communicating with the parent need to 
be observable at each level of the subtree. Notice that for the top-level expression, 
a step is either a step of the module Root, or it is a sequence of steps of the tree 
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Fig. 3. Tree-structured Parity Computer 
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Fig. 4. Reduction for the parity tree computer 



rooted at Join until either req is updated or ack is read. A step of the tree 
rooted at Join is either a step of the module Join, or a sequence of steps of the 
subtree rooted at JoinO until reqO or ackO is accessed, or a sequence of steps of 
the subtree rooted at Joinl until reql or ackl is accessed. Since each Join node 
communicates with parent only after it has received and processed requests from 
its children, we get excellent reduction. In the table of Figure H show the 
number of states visited, together with the CPU time required by the algorithm 
for different number of clients. Observe that while the number of states grows 
exponentially without any reduction, our heuristic scales almost linearly. 

Our second example concerns the standard leader election protocol in an 
asynchronous ring of cells. The protocol used here is taken from and has 
been used as a benchmark to study how model checking algorithms scale. Fig- 
ure Jshows four cells connected together and the partition used for applications 
of next. The results are reported in the table of FigureH While not as spectac- 
ular as the parity-tree-computer, observe the significant reduction in space and 
time. 

6 Conclusions 

We have presented a new heuristic for model checking based hierarchically struc- 
tured transition relations. The heuristic potentially combines advantages of the 
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Fig. 5. Leader Module 
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Fig. 6. Reduction for the leader election in ring 



on-the-fly search "with early detection of violations and compositional reduction 
techniques based on process equivalence. 

While the construct next has been studied previously in the context of sym- 
bolic search this is the first study that establishes conditions under -which 
next construct can be introduced without changing the answer to the original 
verification problem. The transformation of Section 3 can be used for improv- 
ing efficiency of symbolic model checking as well. The reduction offered by our 
method differs with examples. The reduction is maximum when processes can 
be clustered so that when one cluster communicates with another, it is only in 
a small number of different internal states. 

Partial-order reduction has been successfully combined with on-the-fly search 
(see, for example, It may appear that our reduction is a simple 

form of partial-order reduction, but on more scrutiny, the two techniques are 
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incomparable, and we believe them to be compatible. Partial-order reduction 
does not exploit the hierarchical structure, but uses independence among tran- 
sitions to restrict the number of interleavings. It is easy to construct examples 
in which our method works better than the partial-order reduction method, 
and vice versa. On the examples reported in this paper, the software Spin 
gives much more impressive reductions on the leader election protocol, but 
our method performs better for the parity computer. The modeling languages 
of Spin and Mocha are quite different to make any meaningful comparison 
in the absolute number of states for each configuration, so the comparison 
is based on the rates of growth with the scaling parameter. More informa- 
tion about the comparison can be found along with the code of our examples 
(http : //www. cis .upenn.edu/~bywang/ concur99 .html). 

Another popular heuristic for improving on-the-fly search is reductions us- 
ing symmetry Again, our method is incomparable to and compatible 

with symmetry reduction. In particular, note that in our examples, if we change 
the individual clients so that they behave slightly differently from each other, 
or the different join nodes compute different functions, there will be no signif- 
icant impact on the reduction obtained. In the parity computer example, if we 
change Joinl to its complement, the experiment shows that our heuristic can 
still achieve the same reduction for the eight clients system. 

The process-algebraic tools such as Concurrency workbench and CADP 
implement the reductions based on weak-simulation (or even the less expen- 
sive reduction to compress internal transitions). We have already discussed our 
motivation to explore on-the-fly algorithms that implement the reduction in a 
top-down manner. 

In this paper, we have used next only to compress invisible transitions. How- 
ever, our search algorithm can be used effectively in other contexts. First, next 
can be supplied an argument that contains only a subset of the visible tran- 
sitions. This would perform a more eflrcient search at a coarser granularity of 
atomicity. Note that, while this is similar in spirit to the atomic construct in the 
language of Spin to cluster a sequence of atomic transitions, it gives a high-level 
and hierarchical construct. Second, next can be used to implement the so-called 
“run-to-completion” semantics in which transitions are executed until there are 
no more enabled transitions. 
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Abstract. Scenario-based specifications such as message sequence charts 
(MSC) offer an intuitive and visual way of describing design require- 
ments. Such specifications focus on message exchanges among communi- 
cating entities in distributed software systems. Structured specifications 
such as MSC-graphs and Hierarchical MSC-graphs (HMSC) allow con- 
venient expression of multiple scenarios, and can be viewed as an early 
model of the system. In this paper, we present a comprehensive study of 
the problem of verifying whether this model satisfies a temporal require- 
ment given by an automaton, by developing algorithms for the different 
cases along with matching lower bounds. 

When the model is given as an MSC, model checking can be done by 
constructing a suitable automaton for the linearizations of the partial 
order specified by the MSC, and the problem is coNP-complete. When 
the model is given by an MSC-graph, we consider two possible semantics 
depending on the synchronous or asynchronous interpretation of concate- 
nating two MSCs. For synchronous model checking of MSC-graphs and 
HMSCs, we present algorithms whose time complexity is proportional 
to the product of the size of the description and the cost of processing 
MSCs at individual vertices. Under the asynchronous interpretation, we 
prove undecidability of the model checking problem. We, then, identify a 
natural requirement of boundedness, give algorithms to check bounded- 
ness, and establish asynchronous model checking to be PsPACE-complete 
for bounded MSC-graphs and ExpSPACE-complete for bounded HMSCs. 



1 Introduction 

Message sequence charts (MSCs), and related formalisms such as time sequence 
diagrams, message flow diagrams, and object interaction diagrams, are a popular 
visual formalism for documenting design requirements for concurrent systems 
such as telecommunications software MSCs are often used in the first 

attempts to formalize design requirements for a new system and its protocols. 
MSCs represent typical execution scenarios, providing examples of either normal 
or exceptional executions (‘sunny day’ or ‘rainy day’ scenarios) of the proposed 
system. The clear graphical layout of an MSC immediately gives an intuitive 
understanding of the intended system behavior. 

* Supported in part by NSF CAREER award CCR-9734115 and by the DARPA grant 
NAG2-1214. 
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In the simplest form, an MSC depicts the desired exchange of messages, 
and corresponds to a single (partial-order) execution of the system. In recent 
years, a variety of features have been introduced so that a designer can spec- 
ify multiple scenarios conveniently. In particular, MSC-graphs allow MSCs to be 
combined using operations such as choice, concatenation, and repetition. Hierar- 
chical MSCs (HMSC), also called high-level MSCs, allow improved structuring of 
such graphs by introducing abstraction and sharing. All these features are incor- 
porated in an international standard, called Z.120, promoted by ITU MSCs 
or similar formalisms are increasingly being used by designers for specifying re- 
quirements. Such specifications are naturally compatible with object-oriented 
design methods, and are being supported by almost all the modern software 
engineering methodologies such as SDL ROOM and UML 

We believe that scenario-based requirements will play an increasingly promi- 
nent role in design of software systems that require communication among dis- 
tributed agents. Requirements expressed using MSCs (or HMSCs) have a formal 
semantics, and hence, can be subjected to analysis. Since MSCs are used at 
a very early stage of design, any errors revealed during their analysis have a 
high pay-off. This has already motivated development of algorithms for detect- 
ing race conditions and timing conflicts Q, pattern matching detecting 

non-local choice Q, and tools such as uBET In this paper, inspired by 

the success of model checking in debugging of high-level hardware and software 
designs we develop a methodology and algorithms for model checking 

of scenario-based requirements. 

It is worth noting that the traditional high-level model for concurrent systems 
has been communicating state machines. Both communicating state machines 
and HMSCs can be viewed as specifying sets of behaviors, but the two offer dual 
views; the former is a parallel composition of sequential machines, while the latter 
is a sequential composition of concurrent executions. Analyzing communicating 
state machines is known to be computationally expensive — PSPACE or worse, and 
in spite of the remarkable progress in developing heuristics, still remains the main 
bottleneck in application of model checking. Consequently, translating MSC- 
based specifications to communicating state machines, as suggested in previous 
approaches may not lead to the most efficient procedures. Also there is 

a difference in expressive power between the two formalisms in general. The 
problem of analyzing HMSCs is interesting and important in its own right, and 
is investigated in this paper. 

We formalize the model checking problem using the automata-theoretic ap- 
proach to formal verification The system under design is described 

by an MSC, or a MSC-graph, or an HMSC, in which the individual events are 
labeled with symbols from an alphabet S. The semantics of the system is a lan- 
guage of strings over S. The specification is described by an automaton over E 
whose language consists of the undesirable behaviors, and model checking corre- 
sponds to checking if the intersection of the two languages is empty. When the 
system is described by an MSC-graph, or an HMSC, the choice for the associ- 
ated language depends on the interpretation of the concatenation of two MSCs. 
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We consider two natural choices: in the synchronous concatenation of two MSCs 
Ml and M2, any event in M2 is assumed to happen after all the events in Mi; 
while the asynchronous interpretation corresponds to concatenating two MSCs 
process by process. 

An MSC M specifies a partial ordering of the events it contains, and the 
model checking problem for M can be solved by constructing an automaton 
that accepts all possible linearizations of the partial order and checking this 
automaton against the given specification property automaton. We establish 
the model checking problem for MSCs to be coNP-complete. For model check- 
ing of MSC-graphs under the synchronous interpretation of concatenation, we 
replace each vertex of the MSC-graph by an automaton that accepts all the lin- 
earizations of the associated MSC, construct the product with the specification 
automaton, and check for emptiness. For HMSCs, a similar strategy reduces the 
model checking problem to a problem for hierarchical state machines, and then, 
we employ the efficient algorithms of Q for searching the hierarchical structure 
without flattening it. The resulting complexity for both MSC-graphs and HM- 
SCs is proportional to the size of the system description times the complexity of 
model checking individual MSCs. In both cases, the model checking problem is 
proved to be coNP-complete. 

Under the asynchronous interpretation for concatenation, the model checking 
problem for MSC-graphs turns out to be undecidable. The problem can be traced 
to descriptions which allow unbounded drift between the processes and whose 
correct implementation requires potentially unbounded buffers. We identify a 
subclass of bounded graphs which rule out such problems and entail decidabil- 
ity. We give an algorithm to check if an MSC-graph or an HMSC is bounded. 
The boundedness requirement is similar (though not identical) to the condition 
identified in Q to avoid process divergence. The algorithm in Q to detect di- 
vergence is exponential in the number of vertices for flat MSC-graphs (and its 
straightforward extension to HMSCs is doubly exponential). Our algorithm for 
checking boundedness extends also to process divergence and is exponential in 
the number of processes, but linear in the size of the MSC-graph or HMSC. We 
show the problem of checking boundedness (and process divergence) to be coNP- 
complete. Finally, we establish that the asynchronous model checking problem is 
PSPACE-complete for bounded MSC-graphs, and ExpSPACE-complete for HM- 
SCs. In particular, for asynchronous model checking of HMSCs, the flattening 
of the hierarchy is unavoidable in the worst case (unlike the synchronous model 
checking and the testing of boundedness, where the flattening can be avoided). 

2 Message Sequence Charts 

A sample message sequence chart is shown in Figure H Vertical lines in the 
chart correspond to asynchronous processes or autonomous agents. Messages 
exchanged between these processes are represented by arrows. The tail of each 
arrow corresponds to the event of sending a message, while the head corresponds 
to its receipt. Arrows can be drawn either horizontally or sloping downwards. 
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Fig. 1. A sample message sequence chart 



but not upwards. Each arrow is labeled with a message identifier. We proceed to 
define MSCs formally. It is worth noting that our definitions capture the spirit 
of the standard Z.120, but differ in details and focus only on a subset of the 
features for the sake of clarity and simplicity. 



2.1 Formalization 

Formally, a message sequence chart M is a labeled directed acyclic graph with 
the following components 

— Processes: A finite set P of processes. 

— Events: A finite set E of events that is partitioned into two sets: a set S of 
send events and a set R of receive events. 

— Proeess Labels: A labeling function g that maps each event in if to a process 
in P. The set of events belonging to a process p is denoted by Ep. 

— Send-receive Edges: A bijection map f : S R that associates each send 
event s with a unique receive event /(s) and each receive event r with a 
unique send event /“^(r). 

— Visual Order: For every process p there is a local total order <p over the 
events Ep which corresponds to the order in which the events are displayed. 

The local visual orders, together with the send-receive edges, define the relation 

< = [Up <p U { (s, /(s)) \se S }]*. 

The relation < is a partial order over E since send-receive edges cannot go 
upwards in the chart. This formalization provides a simple, but precise, way to 
treat MSCs as mathematical objects. There are many alternative formalizations, 
for instance, via translation to process algebras Furthermore, the above 
formalization assumes that the ordering of the receipts of messages at a process 
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Fig. 2. A sample MSC graph G 



coincides with the visual order. Depending on the underlying communication 
architecture, we may wish to employ alternative orderings, but this choice does 
not affect the complexity of the problems studied in this paper. 



2.2 MSC-Graphs 

A natural way to structure multiple scenarios is to employ graphs whose nodes 
are MSCs. An MSC-graph is a graph whose nodes are labeled with MSCs, and 
whose edges correspond to concatenation of MSCs. A sample MSC graph is 
depicted in Figure Q The first node corresponds to a scenario Mi in which 
the server initiates a database lookup to process a client request. The scenario 
Ml is followed by either scenario M2 or by the scenario M3. The scenario M2 
corresponds to a positive response from the database, while the scenario M3 
models a negative response from the database. The hexagonal box is called a 
condition in the MSC standard, and is used to indicate a choice or branching in 
MSC graphs. For the purpose of this paper, conditions will be uninterpreted, and 
hence, can be ignored in the formalization. Formally, an MSC-graph G consists 
of a set V of vertices, a binary relation ^ over V, an initial vertex , a terminal 
vertex and a labeling function p. that maps each vertex v to an MSC. The 
paths that start at the initial vertex and end at the terminal vertex represent 
the finite executions of the system modeled by the MSC-graph, while the infinite 
executions are represented by all the infinite paths starting at the initial vertex. 
Note that the definition can be modified to allow multiple terminal vertices 
without affecting any of the complexity bounds in this paper. 
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2.3 Hierarchical MSCs 

Hierarchical MSCs (HMSC) (also called high-level MSCs) offer an improved 
structuring mechanism. Consider a sample HMSC shown in Figure ^ It is like 
an MSC-graph, and has three nodes Mi, Mb, and Mf. The nodes Mi and Mf are 
MSCs as in an MSC-graph, but the node Mb is labeled by another MSC-graph 
G. Thus, the node Mb is like a superstate in hierarchical state-machines such as 
Statecharts The MSC Mi depicts the sequence of messages for initialization. 
As seen earlier, the MSC-graph G depicts the sequence of messages for process- 
ing individual requests. After completing one request, either G gets repeated, 
or the system terminates after executing the termination sequence of messages 
depicted in Mf. Note that the structure of G is not visible at the top level. In 
a typical graphical interface, the graph G itself can be viewed by clicking onto 
the node Mb- 

More generally, a hierarchical MSC consists of a graph whose nodes are either 
MSCs or are labeled with another hierarchical MSC. Thus, the definition allows 
nesting of graphs, provided the nesting is finite. In other words, the definition 
of HMSCs cannot be mutually recursive: if a node of an HMSC M is labeled 
with another HMSC M' , then a node of M' cannot be labeled with M (or any 
other HMSC that refers to M). Another important aspect of the definition is 
that different nodes can be labeled with the same HMSC. For instance, once 
we have defined the request-processing scenario G (Figure Q it can be used 
multiple times, possibly in different contexts, just like a function in a traditional 
programming language. This allows reuse and sharing, and leads to succinct 
representation of complex scenarios. 

Formally, a Hierarchical MSC is a tuple H = {N, B, ,v'^, pL, E), where 

— N is a. finite set of nodes. 

~ B is a finite set of boxes (or supernodes). 

— G N U B is the initial node or box. 

— v"'" G N U B is the terminal node or box. 

— ^ is a labeling function that maps each node in N to an MSC, and each box 
in B to another (already defined) HMSC. 

— E C {N U B) X {N U B) is the set of edges that connect nodes and boxes to 
each other. 

The meaning of an HMSC H is defined by recursively substituting each box 
by the corresponding HMSC to obtain an MSC-graph. For an HMSC H = 
{N, B, , v’^ ,fi, E), the flattened MSC-graph H^ is defined as follows. For each 
box b, let be the MSC-graph {pi{b))^ obtained by flattening pi{b). The MSC- 
graph H^ has following components: 

Vertices. Every node of Ff is a vertex of H^ . For a box b of H, for every vertex 
V of b^ , the pair (6, v) is a vertex of H^ . 

Initial Vertex. If G N then the initial vertex of H^ is . If G B, then 
if the initial vertex of is v then the pair {v^ , v) is the initial vertex of 

H^. 
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Terminal Vertex, li v"'" G N then the terminal vertex of is If v’^ G B, 
then if the terminal vertex of {v’^)^ is v then the pair (z;^, v) is the terminal 
vertex of . 

Labeling with MSCs. For a node u of H, the label of u in is same as the 
label !Ji{u). For a box b of H, for every vertex v of 6^, the label of (6, v) in 
is same as the label of v in . 

Edges. For an edge {u, v) of H, {u' , v') is an edge of H^, where if u G N then 
u' = u else u' = (u, u") for the terminal vertex u" of , and ii v G N then 
v' = V else v' = (f , v”) for the initial vertex v" of . 

Thus, the vertices in the flattened graph are tuples whose last component is a 
node, and remaining components are boxes that specify the context. The MSC 
labeling the last component determines the label of a vertex. Note that the num- 
ber of components in a vertex is bounded by the nesting depth of the description, 
and the number of vertices can be exponential in the nesting depth. 

In our definition, a box can be entered only at its entry vertex, and can be 
exited only at its terminal vertex. This choice is only for the sake of simplicity 
of presentation, and we can allow edges connecting to and from specific vertices 
inside a box without a significant penalty on the complexity of algorithms. 

3 Model Checking of MSCs 

To formalize the model checking problem, given an MSC M with event-set E, 
we introduce another component in the MSC-specification, namely, labeling of 
events in E with symbols in a given alphabet. For an alphabet E, a A-labeled 
MSC is a pair where M is an MSC and ^ is a function from E to E. A 

A-labeled MSC can be viewed as a partially- ordered multiset (Pomset) Q. 

Consider a A-labeled MSC M with events E and labeling Recall that the 
MSC specifies a partial ordering of the events in E. If we consider all possible 
linearizations of this partial order, and map each ordering to a string over E by 
replacing each event e by its associated symbol €(e), the resulting set of strings 
is called the language of M, and is denoted L{M). Alternatively, we can label 
the messages in M, or we can label both the events and the messages. Such a 
choice would not affect the complexity of the model checking algorithms. 
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For a i 7 -labeled MSC M, the language L{M) represents the possible exe- 
cutions of the system. The requirement can be specified by an automaton A 
over E which accepts all the undesirable executions: the system M satisfies the 
specification A iff the intersection L(M) H L{A) is empty. The model checking 
problem for MSCs is, then, given a if-labeled MSC M, and an automaton A over 
E, determine whether or not L{M) n L{A) is empty. 

Let M be an MSC with event set E and partial order <. To solve the model 
checking problem, we can construct an automaton Am that accepts L{M) using 
the standard technique of extracting global states from a partial order as follows. 
A cut c is a subset of E that is closed with respect to < : if e S c and e' < e then 
e' S c. Since all the events of a single process are linearly ordered, a cut can be 
specified by a tuple that gives the maximal event of each process. The states of 
the automaton Am correspond to the cuts. The empty cut is the initial state, 
and the cut with all the events is the final state. If the cut d equals the cut c 
plus a single event e, then there is an edge from c to d on the symbol £(e). It is 
easy to verify that the automaton Am accepts the language L{M). The size of 
Am corresponds to the number of cuts, and is bounded by n^, if M has n events 
and k processes. The model checking problem with respect to a specification 
automaton A can now be reduced to a reachability problem over the product of 
Am and A. 

Theorem 1 . Given a E-labeled MSC M with n events and k processes, and an 
automaton A of size m, the model checking problem (M, A) can be solved in time 
0 {m ■ n^), and is coNP-complete^ 

4 Model Checking of MSC-Graphs 

For an alphabet E, a A-labeled MSC-graph G is a graph {V,^,v^ ,v'^ , fi), where 
H maps each vertex to a A-labeled MSC. To define the model checking problem 
for such graphs, we must associate a language with each graph. First, let us 
note that there is no unique interpretation of the concatenation. As an example, 
consider the concatenation of two MSCs Mi and M2 depicted in Figure^ Under 
the synchronous interpretation, all the events in the MSC Mi finish before any 
event in the MSC M2 occurs. Thus, the event V2 is guaranteed to occur before 
the event S3. The asynchronous interpretation corresponds to concatenating the 
two MSCs process by process. Thus, the event S3 will happen after the event 
S2, but has no causal relationship to the event V2. The partial orders of events 
resulting from these two interpretations are shown in FigureJ 

The synchronous interpretation is closer to the visual structure of the MSC- 
graph and may be closer to the behavior of the system that the designer of 
the MSC-graph has in mind. However it has a high implementation cost to en- 
force (some additional messages must be introduced to ensure that processes do 
not commence to execute M2 unless all the events in Mi have occurred). The 

^ The proofs are omitted due to lack of space. To obtain the full version that includes 
the proofs, please contact the authors. 
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Fig. 4. Two interpretations of concatenation 



asynchronous interpretation is advocated by the standard Z.120. It has no im- 
plementation overhead, but it introduces potentially unbounded configurations. 
We will study both possibilities. 

4.1 Synchronous Concatenation 

In the synchronous interpretation, the language of concatenation of two MSCs is 
the concatenation of languages of the component MSCs. For an MSC-graph G = 
(y , v’^ , /i), a path is a sequence p = vqVi . . . such that Vi Vi+i for 0 < 
i < n. An accepting path is a path vqVi . . . such that vg = and In a 

A-labeled MSC-graph G, each vertex is mapped to a A-labeled MSC, and thus, 
has a language associated with it. The language of G is obtained by considering 
concatenation of languages of vertices along accepting paths. Formally, given a 
A-labeled MSC-graph G = {V, , p), the synchronous-language L“{G) is 

the set of strings cto • cti • • • such that there exists an accepting path ■ ■ - Vn 
in G with ai € L{p{vi)) for 0 < i < n. 

In the synchronous model checking problem, we are given a A-labeled MSC- 
graph G, and an automaton A over E, and we wish to determine whether or not 
the intersection L“{G) C L{A) is empty. To solve the problem, we construct an 
automaton Aq that accepts the language L^{G) as follows. Replace each node 
u of G by the automaton that accepts the language corresponding to the 

MSC-label of v. An edge from a vertex u to a vertex v is replaced by edges 
that ensure concatenation of the languages of and A^(«) (concatenation of 

automata is a standard operation, and the details are omitted here). If each of 
the MSCs labeling the vertices of G has at most n events and k processes, then 
each of the individual automata has at most states. If G has m vertices then 
Aq has at most m ■ states. 

Theorem 2. Given a E-laheled MSC-graph G with m vertices, each of which is 
labeled with an MSC with at most n events and k processes, and an automaton A 
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of size a, the synchronous model checking problem (G, A) can be solved in time 
0 {m ■ a ■ n^), and is coNP- complete. 



4.2 Asynchronous Concatenation 

The asynchronous concatenation of two MSCs gives another MSC. Let AIi = 
(Pi,Gi,5i,/i,{<1 | p e Pi}) and M2 = (P2, P2, 52, /2, {<p| P £ ^2}) be two 
MSCs. The asynchronous concatenation of Mi and M2 is the MSC M defined 
by 



— The set of processes is the union Pi U P2. 

— Assuming the two event sets Pi and P2 are disjoint, the set of events is the 
union E\ U P2. 

— The process labels stay unchanged: for e £ Pi, g{e) = g\{e) and for e £ P2, 
5(e) = 52(e). 

— The send-receive edges are unchanged: for e £ iSi, /(e) = /i(e) and for 
e £ S2, /(e) = /2(e). 

— Forp G Pi\P2, <p equals <p, and forp G P2\Pi, <p equals <p. The ordering 
of events belonging to a common process p G Pi C P2 is the concatenation 
of the component orderings: <p equals <p U <p U Pi^ x P2p. 

The asynchronous concatenation operation extends to P-labeled MSCs. To asso- 
ciate a language with a P-labeled MSC-graph G under the asynchronous inter- 
pretation, we can associate an MSC with each path by asynchronously concate- 
nating MSCs corresponding to individual vertices. The language of the graph 
is the union of the languages of all such MSCs associated with the accepting 
paths. Formally, given a P-labeled MSC-graph G = ,v'^ , p), given a 

path p = vqVi . . .Vn, the P-labeled MSC p{vo) ■ p{vi) ■ ■ • p,{vn) is denoted Mp. 
The asynchronous-language L°'{G) is the set 

|P(Mp) I p is an accepting path in G|. 

Under the asynchronous interpretation, the language of a graph need not be 
regular. For instance, consider an MSC M containing a single send-receive edge: 
send-event s by process pi followed by a receive-event r by process p2- In the 
MSC-graph M*, under the asynchronous interpretation, process pi can send ar- 
bitrarily many messages to process p2 before any message is actually received by 
process p2- A key property that contributes to the complexity is the following: 
the language of the asynchronous concatenation of two MSCs with no processes 
in common is the shuffle of the languages of the components. This can be ex- 
ploited to encode computations of Turing machines as shown below. This result 
strengthens the result in where the intersection of two MSC graphs is shown 
to be undecidable. 

Theorem 3. The asynchronous model checking problem (G, A) for MSC-graphs 
is undecidable. 
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4.3 Bounded MSC-Graphs 

Given an MSC M with set P of processes, define the communication graph Hm 
of M to be the graph with P as its vertices and with an arc from process p 
to process q ii p sends a message to q in M. Given an MSG-graph G and a 
subset S of its vertices, the communication graph Hs of S is the union of the 
communication graphs of the MSGs corresponding to the vertices in S: the set of 
vertices of Hs is the set P of all the processes, and there is an arc from process 
p to process q ii p sends a message to q in the MSG fi{v) for some v G S. For 
a set S of vertices, we denote by Ps the set of processes that send or receive a 
message in the MSG of some vertex in S, and call them the active processes of 
the set S. We call an MSG-graph bounded if for every cycle p of G, the subgraph 
of the communication graph Hp induced by the set Pp of active processes of the 
cycle is strongly connected. In other words, communication graph Hp on all the 
processes consists of one nontrivial strongly connected component and isolated 
nodes corresponding to processes that are inactive throughout the cycle. 

We proceed to establish that the asynchronous model checking problem for 
bounded MSG-graphs is decidable. Given a bounded MSG-graph G, we wish to 
construct an automaton that generates the asynchronous language of G. Ba- 
sically, the automaton traverses a path in G, and generates a linearization of 
the MSG obtained by concatenating the MSGs labeling the nodes on the tra- 
versed path. Such linearization can be generated by letting, at every step, one of 
the processes execute its next step. Due to the asynchronous nature of concate- 
nation, the processes can drift, that is, even before all the events in the MSG 
corresponding to one node are executed, some processes may proceed to the next 
node. If we could show that processes can drift apart only by a finite distance, 
say, bounded by the number of nodes in the graph, then it would follow that it 
suffices for the automaton to remember only a finite suffix of the path. Unfortu- 
nately, this does not hold. For example, the processes may be partitioned into 
two disjoint sets Q and Q' such that all the processes in Q' “overtake” all the 
processes in Q, and proceed to execute a cycle, possibly multiple times, in which 
all the processes in Q are inactive. Furthermore, the processes in Q may traverse 
paths in which all processes in Q' are inactive while processes in Q are active, 
thus, imposing constraints on what the processes in Q should do in future. In 
the sequel, we will show that remembering only a finite amount of information 
suffices even if unbounded intervals of the path are of relevance. To get some 
intuition for the detailed construction, consider the scenario just described in 
which processes in Q' , after overtaking Q, traverse a path that alternates be- 
tween intervals in which only processes in Q are active and intervals in which 
only processes in Q' are active. First, due to the definition of boundedness, the 
number of such alternations is bounded (otherwise, there would be a cycle with 
two nontrivial strongly connected components in the communication graph). 
Second, while the individual intervals can be unbounded, it suffices to remember 
only the end-points of each interval (in fact, only the end-points of the intervals 
in which only processes in Q are active) . It is worth noting that the construction 
would be simpler if we had used a weaker definition of boundedness which would 
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require the communication graph of each cycle to be a single strongly connected 
component. However, allowing inactive processes in cycles seems important to 
us. 

Let G be a bounded MSC-graph. Consider a path p = vo,v\,... through the 
graph, and its corresponding MSC Mp. Consider some linearization of Mp and a 
prefix a of the linearization. That is, a is the set of events executed up to some 
point in time. We can partition the nodes of p into three classes with respect to 
a as follows. A node is a past node if all the events of the MSC of that node are 
already executed in the prefix a, a present node if some but not all the events of 
the MSC of that node are executed, and & future node if no events corresponding 
to that node are executed yet. Since the MSC of each node contains at least one 
event (this can be assumed without loss of generality), each node of the path 
gets classified uniquely. Note that a node of G may occur more than once in the 
path and different occurrences may be classified differently. 

Lemma 1. Consider a subpath of p from node Vi to Vj such that the MSC-graph 
contains a “hack” arc from Vj to Vi. Then either (i) all nodes of p from Vi to Vj 
(inclusive) are past, or (ii) all nodes of p from Vi to vj (inclusive) are future, or 
(Hi) there is a process p whose last executed step and next unexecuted step are 
both from the nodes Vi, . . .Vj. 

We define a configuration as a tuple consisting of the following components: 

1. A sequence of (not necessarily distinct) nodes ui,...,ut of the MSC-graph 
G, such that no node occurs more than k times, where k is the number of 
processes. 

2. A mapping from each process p to one of the nodes Ui in the sequence and 
to a position in the process line of p in the MSC p.{ui) (of course if p is not 
active in Ui, then this last part is vacuous). 

3. For every z = 1, ...t — 1, a bit bi corresponding to the pair [ui, zzj+i] . 

Given a path p and a prefix ct of a linearization of it, we can define a config- 
uration as follows. 

1. The sequence of nodes u\,. . .Ut consists of all the present nodes, those past 
nodes that are adjacent to future nodes (if the first and last node of a con- 
tiguous segment of past nodes are occurrences of the same node of the MSC 
graph, then we only need to keep one copy of the node), and the last node 
of the path p if it is a past node; these past nodes will be needed later to 
fill in the future nodes consistently. It follows from the lemma that every 
node V of the MSC-graph occurs at most k times in the recorded sequence 
zzi : If a node v occurs fc -I- I times in the path p, then all k processes must 
be executing steps in the previous k intervals from v to v, and therefore all 
nodes of the path p up to and including the {k l)th last occurrence of v 
must be past nodes and are not selected. 

2. For the second component of the configuration, map every process p to the 
node of the path p that contains the last step executed by p, and to the 
corresponding event of the MSC, if the node is one of the selected nodes up, 
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if the node is not among the UiS, then map p to the earliest subsequent Ui. 
We call this node the current node of p. 

3. For the third component, if the subpath of p between Ui and Uj+i does not 
contain any future nodes, then set bi = 0; if it contains some future nodes, 
then set hi = 1. Note in the latter case that the subpath of p consists in fact 
entirely of a sequence of future nodes bordered by Ui and Ui+\ (which are 
past or present nodes). 

It is clear from the above derivation of a configuration from a partial execution 
that it satisfies several consistency and nonredundancy conditions. We call a 
configuration legal if it satisfies the following conditions. The mapping of the 
processes in the second component of a configuration induces a cut of the MSC 
formed by the concatenation of the MSCs p.{ui) of the sequence of nodes Ui 
in the first component; i.e. if a node Ui contains a message from process p to 
process q, and process p is mapped before Ui or at Ui before the sending of the 
message, then process q is mapped before Ui or at Ui before the reception of 
the message. Based on the mapping of the processes we can classify the selected 
nodes Ui of the configuration as past, present or future. Then every node Ui of 
the sequence is past or present; if a node Ui is past then either = 1 or bi-i = 1; 
furthermore, if bi-i = 0, then Ui-i and Ui are not occurrences of the same node 
of the MSC graph. If {m, Ui+i) is not an arc of the graph, then either bi = 1 and 
there is a path in the MSC graph from Ui to Ui+i using only future nodes (i.e. 
nodes of the graphs whose MSCs involve only processes that are mapped at or 
before Ui), or bi = 0 and there is a path from Ui to Ui+i using only past nodes 
(i.e. nodes of the graph whose MSCs involve only processes that are mapped 
after Ui). An obvious upper bound on the number of possible configurations 
is (fcm)!2^"*(?Tmfc)^. The following lemma gives a better upper bound on the 
number of legal configurations. 

Lemma 2. The number of legal configurations is no more than , 

where k is the number of processes, m is the number of vertices of G and n is 
the maximum number of events in a basic MSC of a vertex. 

To solve the asynchronous model checking problem, given a bounded S- 
labeled MSC-graph G, we construct an automaton Aq that accepts the language 
L°‘{G). The states of A^q are all the legal configurations. The initial state is 
the configuration with one node uq, the initial node of the MSC-graph, and all 
processes are mapped to it, at the beginning of their process lines. The accepting 
state is the configuration with one node ut, the terminal node of the MSC- 
graph, and all processes mapped to it at the end of their process lines. There are 
transitions representing the update of the configuration by execution of a single 
event. In addition we have e— transitions that allow the addition of new nodes in 
the middle or the end of the sequence, the removal of nodes that are not needed 
any more, the advancement of a process (once it is finished with the steps of a 
node) and so forth. 

In practice of course we will construct the automaton on the fly, generating 
states as needed. The automaton Aq which accepts the linearizations of the 
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MSC-graph G has size at most 0(2^"* • {mnk)^). This leads to the following 
bound. 

Theorem 4. Given a bounded E-labeled MSC-graph G on k processes with m 
vertices, each of which is labeled with an MSC with at most n events, and an 
automaton A of size a, the asynchronous model checking problem (G, A) can be 
solved in time 0{a ■ 2^"* • {mnk)^). 

A precise bound on the complexity is Pspace: 

Theorem 5. The asynchronous model checking problem (G, A) for bounded 
MSC-graphs is Pspace- complete. Furthermore, the PsPACE-hardness holds even 
if we bound the number of processes and the number of events in individual MSCs, 
and even for a fixed property. 

Finally, we address the problem of determining if a given MSC-graph is 
bounded. For an MSC-graph with process set P, a subset Q of processes is 
said to be a witness for unboundedness if there exists a cycle p such that in the 
MSC Mp, no process in Q sends a message to a process in P \ Q, and there is 
a process of Q and a process of P \ Q that are active (perform some step) in 
p. Verify that if G is not bounded, then some subset must be a witness to the 
unboundedness . 

Whether a given set Q of processes is a witness for unboundedness can be 
checked in linear time as follows. Remove from G all vertices v such that in the 
MSC p{v) some process in Q sends a message to some process in P \ Q, and let 
G' be the resulting graph. Find the strongly connected components of G'. If for 
some strong component G of G' the corresponding set Pc of active processes 
intersects both Q and P\Q, then Q is a witness for unboundedness, and G is 
not bounded. 

Theorem 6. Given an MSC-graph G on k processes with m vertices, each of 
which is labeled with an MSC with at most n events, checking whether G is 
bounded can be solved in time 0(m ■ n ■ 2^), and is coNP- complete. 

A requirement similar to boundedness was identified in Q in the context of 
process divergence, a situation in which a process sends a message an unbounded 
number of times ahead of a receiving process (thus requiring unbounded buffers) . 
The condition for absence of divergence is that for every cycle p of the MSC-graph 
G, the transitive closure of the communication graph Hp is symmetric. This is 
equivalent to the requirement that every weakly connected component of Tip be 
strongly connected (thus, every bounded MSC-graph is divergence- free, but not 
necessarily vice-versa.) The algorithm given in Q for process-divergence requires 
checking each cycle, and thus, is exponential in the number of vertices in G, and 
no lower bound was given. We can use the same approach as for boundedness to 
give an algorithm for process divergence that is exponential only in the number 
of processes, and we can also show a lower bound along the same lines. 

Theorem 7. Given an MSC-graph G on k processes with m vertices, each of 
which is labeled with an MSC with at most n events, checking G for process 
divergence can be solved in time 0{m ■ n ■ 2^), and is coNP- complete. 
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5 Model Checking of HMSCs 

For an alphabet S, a A'-labeled HMSC H — {N, i?, E) is like an HMSC, 

where ^ maps nodes to i7-labeled MSCs. By flattening a i7-labeled HMSC H, we 
obtained a 17-labeled MSC-graph . Depending on whether the interpretation 
of concatenation is synchronous or asynchronous, we get two languages associ- 
ated with H-. the synchronous language L^{H) and the asynchronous language 

In the synchronous model checking problem for HMSCs, we are given a 
if-labeled HMSC H, and an automaton A over E, and we wish to decide if 
L{A) n L’^(H) is empty. For this purpose, we translate H into a hierarchical 
Kripke structure | by replacing each atomic node v in H, and recursively in 
every HMSC associated with the boxes of H, by the automaton A^(^yp and re- 
place edges by the edges that ensure concatenation of the languages. The result- 
ing hierarchical Kripke structure Aj^ captures the language L“{H), and model 
checking of H reduces to model checking of Aj^, which can be solved using the 
algorithms of ^ without flattening the hierarchy. 

Theorem 8. Given a E-labeled HMSC H of size m, each of which nodes is 
labeled with an MSC with at most n events and k processes, and an automaton 
A of size a, the synchronous model checking problem {H, A) can be solved in 
time 0{m ■ of ■ n^), and is coNP- complete. 

The asynchronous model checking problem for HMSCs is, given a if-labeled 
HMSC H and an automaton A, determine if L(A) n L°‘{H) is empty. Since the 
problem is undecidable even for MSC-graphs, we will consider only bounded 
HMSCs: an HMSC is bounded if the flattened MSC-graph is bounded. The 
asynchronous model checking problem {H, A) can be solved by first construct- 
ing the MSC-graph , and then using the model checking algorithm for the 
bounded MSC-graphs. If the size of H is m, and its nesting depth is d, the 
size of is If each of the MSCs has at most n events and k pro- 

cesses, and A has a vertices, the resulting time bound for model checking is 
0{a • 2"* ^ • {wf'nk)^). A precise bound on the complexity is exponential-space: 

Theorem 9. The asynchronous model checking problem {H, A) for bounded HM- 
SCs is EjXPSP ACE- complete. 

To determine if a given HMSC is bounded or not, for every process-set Q, we 
need to check if Q is a witness for unboundedness. This reduces to detecting 
cycles of a specific form in the hierarchical graph, and using the algorithms 
described in can be done in linear time. A similar algorithm can be used for 
checking process divergence. 

Theorem 10. Given an HMSC H of size m, each of which is labeled with an 
MSC with at most n events and k processes, checking whether H is bounded can 
be solved in time 0{m ■ n ■ 2^), and is coNP- complete. 
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Abstract. We present a tractable method for synthesizing arbitrar- 
ily large concnrrent programs from specifications expressed in temporal 
logic. Our method does not explicitly constrnct the global state tran- 
sition diagram of the program to be synthesized, and thereby avoids 
state explosion. Instead, it constructs a state transition diagram for each 
pair of component processes (of the program) that interact. This “pair- 
program” embodies all possible interactions of the two processes. Our 
method proceeds in two steps. First, we construct a pair-program for 
every pair of “connected” processes, and analyze these pair-programs for 
desired correctness properties. We then take the “pair processes” of the 
pair-programs, and “compose” them in a certain way to synthesize the 
large concurrent program. We establish a “large model” theorem which 
shows that the synthesized large program inherits correctness properties 
from the pair-programs. 



1 Introduction 

We exhibit a method of automatically synthesizing a concurrent program con- 
sisting of K sequential processes executing in parallel, from a temporal logic 
specification, where K is an arbitrarily large natural number. Previous synthesis 
methods all rely on some form of exhaustive state space search, 

and thus suffer from the state explosion problem: synthesizing a concurrent pro- 
gram consisting of K sequential processes, each with about N local states, re- 
quires building the global state transition diagram of size at least , in general. 
We show how to synthesize a large concurrent program by only constructing the 
product of small numbers of processes, and in particular, the product of a pair 
of processes, thereby avoiding the exponential complexity in K. 

Our method is a significant improvement over the previous literature. For 
example, the solutions synthesized in Q and fo'' the mutual exclusion 
problem were only for two processes; consideration of just three processes made 
the problem infeasible for hand computation. Also, the examples given in 
are reactive modules containing only two single-bit variables. Therefore, we are 
able to overcome the severe limitations previously imposed by state explosion 
on the applicability of automatic temporal logic synthesis methods. 

* Supported in part by NSF CAREER Grant CCR-9702616 and AFOSR Grant 
F49620-96-1-0221 
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A crucial aspect of our method is its soundness: what correctness properties 
of the pair-programs are preserved by the synthesized program? We show that 
any formula of the branching time temporal logic ACTL that is expressed 
over two processes, and contains no nexttime operator, is preserved. In par- 
ticular, propositional invariants and some temporal leads-to properties of any 
pair-program also hold of the synthesized large program. (A temporal leads- 
to property has the following form: if condition 1 holds now, then condition 2 
eventually holds. ACTL can express temporal leads-to if condition 1 is purely 
propositional.) 

This paper extends the work of in two important ways: (1) it eliminates 
the requirement that all pair-programs be isomorphic to each other, which in 
effect constrains the synthesized program to contain only one type of interac- 
tion amongst its component processes, and (2) it extends the set of correctness 
properties that are preserved from propositional invariants and propositional 
temporal leads-to properties (i.e., leads-to properties where both conditions are 
purely propositional) to formulae that can contain arbitrary nesting of temporal 
modalities. Our examples will demonstrate the utility of this greater generality. 

The rest of the paper is as follows. Sectionjpresents our model of concurrent 
computation and Section^discusses temporal logic. Sectionjpresents the syn- 
thesis method, and SectionHestablishes the method’s soundness. In Sections^ 
andjwe synthesize solutions to the readers- writers and two-phase commit prob- 
lems respectively. Section ^discusses further work and concludes. 

2 Model of Concurrent Computation 

A concurrent program P = Pi\\ ■■■\\Pk consists of a finite number of fixed 
sequential processes Pi, ... , Pk running in parallel. With every process Pi, we 
associate a single, unique index, namely i. Two processes are similar if and only 
if one can be obtained from the other by swapping their indices. Intuitively, this 
corresponds to concurrent algorithms where a single “generic” indexed piece of 
code gives the code body for all processes. 

We use the synchronization skeleton model of The synchronization skele- 
ton of a process Pi is a state-machine where each state represents a region of code 
that performs some sequential computation and each arc represents a conditional 
transition (between different regions of sequential code) used to enforce synchro- 
nization constraints. For example, a node labeled Ci may represent the critical 
section of Pi. While in Ci, Pi may increment a single variable, or it may perform 
an extensive series of updates on a large database. In general, the internal struc- 
ture and intended application of the regions of sequential code are unspecified in 
the synchronization skeleton. The abstraction to synchronization skeletons thus 
eliminates all steps of the sequential computation from consideration. 

Formally, the synchronization skeleton of each process Pi is a directed graph 
where each node Si is a unique local state of Pi, and each arc has a label of 
the form (Bge[i:n]B£. where each ^ Ai is a. guarded command [^, 

[1 : n] denotes the integers from 1 to n inclusive. 
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and 0 is guarded command “disjunction.” For example, in FigureHthe arc of 
process WPj from Nj to Tj is labeled with Nk V Ck ^ skip 0 Tfc — > Xjk ■= k. 
Roughly, the operational semantics of is that if one of the B(, 

evaluates to true, then the corresponding body Ai can be executed. If none of 
the Bi evaluates to true, then the command “blocks,” i.e., waits until one of 
the Bt holdsjEach node must have at least one outgoing arc, i.e., a skeleton 
contains no “dead ends,” and two nodes are connected by at most one arc in 
each direction. A global state is a tuple of the form (si, . . . , sk, , Vm) where 

each Si is the current local state of Pi, and vi, , Vm is a list giving the current 
values of all the shared variables, x\, . . . , Xm (we assume these are ordered in a 
fixed way, so that v\, . . .,Vm specifies a unique value for each shared variable) . A 
guard R is a predicate on states, and a body A is a parallel assignment statement 
that updates the values of the shared variables. If B is omitted from a command, 
it is interpreted as true, and we write the command as A. If A is omitted, the 
shared variables are unaltered, and we write the command as B. 

We model parallelism in the usual way by the nondeterministic interleaving 
of the “atomic” transitions of the individual synchronization skeletons of the 
processes Pi. Hence, at each step of the computation, some process with an 
“enabled” arc is nondeterministically selected to be executed next. Assume that 
the current state is s = (si , . . ., Si, . . ., sk, vi, . . ., Vm) and that Pi contains an 
arc from Si to s' labeled by the command R — > A. If R is true in s, then a 
permissible next state is (si , . . . , s', . . . , s/c, . . . , where . . . , is the 
list of updated values for the shared variables produced by executing A in state 
s. The arc from Si to s' is said to be enabled in state s. An arc that is not enabled 
is disabled, or blocked. A (computation) path is any sequence of states where each 
successive pair of states is related by the above next-state relation. 

3 Temporal Logic 

CTL* is a propositional branching time temporal logic Q whose formulae are 
built up from atomic propositions, propositional connectives, the universal (A) 
and existential (E) path quantifiers, and the linear-time modalities nexttime (by 
process j) Xj, and strong until U. The logic CTL results from restricting 
CTL* so that every linear-time modality is paired with a path quantifier, and 
vice-versa. The logic ACTL results from CTL by restricting negation to 
propositions, and eliminating the existential path quantifier. The linear-time 
temporal logic PTL results from removing the path quantifiers from CTL* . 

Formally, we define the semantics of CTL* formulae with respect to a {K- 
process) structure M = {S, Ri„ , . . . , Rij^) consisting of 

• S', a countable set of states. Each state is a mapping from the set AV of 
atomic propositions into {true, false}, and 

• Ri C S X {i} X S, a, binary relation on S giving the transitions of process i. 
Here AV — {AVi ^ , . . . , AVij^}, where AVi is the set of atomic propositions that 
“belong” to process i. Other processes can read propositions in AVi, but only 



^ This interpretation was proposed by 
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process i can modify these propositions (which collectively define the local state 
of process i). We define the logic ACTL“ to be ACTL without the AXj modality, 
and the logic ACTL” to be ACTL” where the atomic propositions are drawn 
only from AVi U AVj . 

Let R — Ri^ U • • • U Rij^. A path is a sequence of states (si, S 2 . . .) such that 
Vi : (si,Si+i) G i?, and a fullpath is a maximal path. M, si ^ / (respectively 
M, TT \= f) means that / is true in structure M at state si (respectively of 
fullpath 7t). Also, M,S \= f means Ws £ S : M, s \= f, where S' is a set of states. 
For the full definition of see For example, M, si |= A/ iff for every 

fullpath 7T = (si, S 2 , . . .) in M: M, tt \= f; and M, tt \= fUg iff there exists i 
such that \= g and for all j € [1 : {i — 1)]: M, tt-I \= f (tt® is the suffix 

starting at the i’th state of tt). 

We also introduce some additional modalities as abbreviations: F/ (eventu- 
ally) for [trueUf], Gf (always) for ^F^/, [/Uwff] (weak until) for [fGg] V G/, 

OO OO 

f f (infinitely often) for GF/, and Gf (eventually always) for FGf. We refer the 
reader to ^3 for details in general, and to ^3 for details of ACTL. 

To guarantee liveness properties of the synthesized program, we use a form 
of weak fairness. Fairness is usually specified as a linear-time logic (i.e., PTL) 
formula <&, and a fullpath is fair iff it satisfies <&. To state correctness properties 
under the assumption of fairness, we relativize satisfaction ( ^) so that only fair 
fullpaths are considered. The resulting notion of satisfaction, is defined by 
as follows: M, si A/ iff for every d)-fair fullpath tt = (si, S2, . . .) in M: 
M, TT \= f. Effectively, path quantification is only over the paths that satisfy 



4 The Synthesis Method 

We aim to synthesize a large concurrent program |j • • • || without explicitly 
generating its global state transition diagram of size exponential in the number 
of processes K. The specification for a large concurrent program consists of: 

1. abinary, irreflexive “interconnection” relation R Q {A, • ■ • , , iic} 

over the set {A, • ■ • , } of process indices, and 

2. a mapping spec which maps each pair (i,/) G / to a formula of ACTL” (we 
use spec^ rather than spec{{i,j)) to denote this “pair-specification”). 

We use I to denote the pair (/c, spec) and abuse terminology by sometimes refer- 
ring to I as the interconnection relation. Given a specification /, we synthesize 
an I -program = {Sj, || ■ • ■ || P^^) as follows: 

1. For every pair of process indices {i,j) G /, synthesize a pair-program 
{S^j,Pf II Pf) using spec^j as the specification. 

2. “Compose” all the pair-programs to produce P^. 

Since our focus in this article is on avoiding state-explosion, we shall not ex- 
plicitly address step 1 above. Any synthesis method that produces concurrent 
programs in the synchronization skeleton notation can be used, e.g., 

Sfj is the set of initial states, and Pf,Pf are the synchronization skeletons 
for processes i,j, in the pair-program {S^j,Pf || Pf). We refer to the component 
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processes of a pair-program as pair-processes. Note that and Pj interact by 
reading each other’s local state and by reading/ writing a set (call it SHij) of 
shared variables! is the set of initial states, and P/ is the synchronization 
skeleton for process i, in the /-program (S'/ , Pf || . . . || Pi/^)- We refer to the com- 
ponent processes P/ of an /-program as I -processes. We say that Pi and Pj are 
neighbors when (i,/) € I. We require that every process has at least one neigh- 
bor: Vi e {ii, . . .jix} ■ (3/ : (i, j) S /). We also define I{i) = {j \ {i,j) S /}. 

spec^j is the specification for the pair-program {SlpP^ || Pj), and defines the 
interaction of processes i and j. Thus, spec^ is (initially) interpreted and ver- 
ified over the structure induced by (S)f,P/|jP/) executing in isolation. Once 
(Sip Pi \\Pj) has been composed with all the other pair-programs to yield the 
/-program, we will show that spec^ also holds for the /-program. Unlike Q, 
spec^ and spec^.^ (where {fc,/} ^ {*,/}) can be completely different formulae, 
whereas in Q these formulae had to be “similar,” i.e., one was obtained from 
the other by substituting process indices. 

Our synthesis method requires that the pair-programs induce the same local 
structure on all common processes. That is, for pair-programs (S^, P/ || P/) and 
i^ik^ ^t\\ ^k)’ require P/ = P^, where Pl,Pl result from removing all arc 
labels from pI , P^ respectively! We assume, in the sequel, that this condition 
holds. Also, all results quoted from ! have been reverified to hold in our setting, 
i.e., when the similarity assumptions of Q are dropped. 

We compose pair-programs as follows. Consider first I = {(z, j), (j, k), (fc, z)}, 
i.e., three pairwise interconnected processes i,j,k, With respect to process z, 
the proper interaction (i.e., that required to satisfy spec^) between process z 
and process j is captured by the commands that label the arcs of P/. Likewise, 
the proper interaction between process z and process k is captured by the arc 
labels of P^. Hence, in the three-process program P^ (consisting of processes 
z, J, k), the proper interaction for process z with processes j and k is captured as 
follows: when process z traverses an arc, the command which labels that arc in P/ 
is executed “simultaneously” with the command which labels the corresponding 
arc in P^. For example, taking as our specification the mutual exclusion problem, 
if process z executes a mutual exclusion protocol with respect to both processes 
j and k, then, when process z enters its critical section, both processes j and k 
must be outside their own critical sections. 

Based on the above, we determine that the synchronization skeleton for pro- 
cess z in P^ (call it P/) has the same basic graph structure as P/ and P^, and 
an arc label in P^ is a “conjunction” of the labels of the corresponding arcs in 
P/ and P^. 

® The shared variable sets of different pair-programs are disjoint: STtij n STiiiji = 0 
if {//} 7^ {*',/'}• 

^ Contrast this with the much more restrictive “process similarity assumption” of | 
which requires that P/ can be obtained from P/, by substituting i for i' and j for 
j' . In effect, all processes must have isomorphic local structure and isomorphic arc 
labels. Thus, all pair-programs are isomorphic — Proposition 6.2.1 of 
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Generalizing to an arbitrary interconnection relation I, P/ has the same basic 
graph structure as P- , (P/ = P-), and an arc label in P/ is a “conjunction” of 
the labels of the corresponding arcs in P^^ , . . P-", where {ji, . . .,jn} = I{i) 
are all the neighbors of process i. 

We now make some technical definitions. A node (i.e., local state) of P/, 
P/ is a mapping of AVi to {true, false} . We refer to such nodes as z-states. 
A state of the pair-program {S'fj,Pf\\Pf) is a tuple {si, where 

Si, Sj are z-states, j-states, respectively, and vjp ■ ■ ■,vff give the values of all the 
variables in STi.ij. We refer to states of (-S'?-, P/ || Pj) as zj-states. An zj-state 
Sij inherits the assignments defined by its component z- and j-states: Sij{pi) = 
Si{pi), Sijipj) = Sjipj), where Sij = (si, Sj,v\p ..., v'ff), and pi,pj are arbitrary 
atomic propositions in APt, AVj, respectively. A state of {Sj,Pi^ II ■ ■ ■ I! is 
a tuple (sjj , . . . , Sj^, z;^, . . . , u”), where Si, (i € {ii, . . ., Ik}) is an z-state and 

. . . , z;” give the values of all the shared variables of the /-program (i.e., those 
in U(i i'O states of an /-program as /-states. An /-state s 

inherits the assignments defined by its component z-states (z G {zi, . . . , z/f }): 
s{pi) = Si{pi), where s = {si^, . . ., Si^^, v^, . . ., z;”), and pi is any atomic proposi- 
tion in AVi (* G {*i 7 ■ ■ ■ ) Ik})- If C /, then define J-program, J-state exactly 
like /-program, /-state resp. but using interconnection relation J instead of I. 

The state-to-formula operator {si} takes an z-state Si as argument and re- 
turns a propositional formula: {Si} = {Asi(pi)=truePi) ^ (As,(p,)=/aZse^Pi). ^here 
Pi ranges over the members of AVi- {si} characterizes Si in that Si ^ {si}, and 
s'i {si} for all s' yf Si. {sy} is defined similarly (but note that the vari- 
ables in Sl-Lij must be accounted for). We define the state projection operator 
j. This operator has several variants. First, we define projection onto a single 
process from both /-states and zj-states: if s = (s^j , . . . , Si^, z;^, . . . , z;”), then 
s|z = Si, and if Sij = (si, sj , v}j, . . . , v}j), then Sij}i = Si. Next we define pro- 
jection of an /-state onto a pair-program: if s = (sjj, . . . , Si^, z;^, . . . , z;”), then 
sjzj = (si, Sj, v}j, . . . , v}j), where v}j,...,v}j are those values from v^,...,v'^ 
that denote values of variables in STtij. s]ij is well defined only when z/j 
(i.e., (z, j) G I). Finally, we define projection of an /-state onto a </-program. 
If s = (sii,...,Si^,z;\...,z;"), then s}J = (sj^, . . . , Sj^,v)j, ■ ■ ■ ,v^), where 
{ji, . . . , ji} is the domain of J, and Vj, ■ ■ ■ , z; ™ are those values from z;^, . . . , z;” 
that denote values of variables in U(i defined only when 

J CL 

Let 7T be a computation path of PV Then, the path-projection of tt onto J C I 
(denoted zrtJ) is obtained as follows. Replace every state s along tt by stT, and 
then remove all transitions in tt that are not by some process in J, coalescing the 
source and target states of all such transitions (which must be the same, since 

if s t and z ^ {ji, . . . , j^}, then sjT = t}J). 

The above discussion leads to the following definition for our synthesis 
method, which derives an /-process P/ of the /-program (5°, P-^ || ■ ■ . || P^) from 
the pair-processes {Pf \ j G /(z)} of the pair-programs {{Sij,Pf || Pf) \ j G /(z)}: 
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Definition! (Pairwise Synthesis). An /-process P/ (i € is 

derived from the pair-processes Pf , j G I{i), as follows: 

P/ contains an arc from Si to ti with label e ^ e 

Vj G I{i) : Pf contains an arc from Si to ti with label (Bi^[i-.nj]Bi ^ 1 - 

The initial state set S'® of the I -program is derived from the pair-program initial 
state sets Sij, (i,j) G I, as follows: 

S° = {s\ y{z,j) G I : sTzj G 5°}. 

Here ® is guarded command “conjunction.” The operational semantics of Pi ^ 
Hi 0 P 2 ^ H 2 is that if both the guards Pi , P 2 evaluate to true, then the bodies 
Hi,H 2 can be executed in parallel. If at least one of Pi, P 2 evaluates to false, 
then the command “blocks,” i.e., waits until both of Pi, P 2 evaluate to true. See 
B for complete definitions of 0, 0. Note that consists of exactly those /-states 
whose “projections” onto all the pairs in / give initial states of the corresponding 
pair-program. We assume that the initial-state sets of all the pair-programs are 
so that there is at least one such /-state, and so is nonempty. 

Definition J is, in effect, a syntactic transformation that can be carried out 
in linear time and space (in both (5)f , Pf || Pf) and /). In particular, we avoid 
explicitly constructing the global state transition diagram of {Sj,Pf^ II ■ • ■ II 
which is of size exponential in K = |{ii, . . . , Zif}|. 

5 Soundness of the Synthesis Method 

Let Mij = {Sij, Sij, Rij) and M/ = {Sj , Sj, Rj) be the global state transition 
diagrams of {SfpPf || Pj), (5°, P/^ || ■ ■ ■ || respectively. 5°-, Sj are the sets 
of initial states of Mij , Mj respectively, and Sij , Sj are the sets of all states of 
Mij, Ml respectively, and Rij C Sij x {i,j} x Sij, Rj C Sj x {ii, . . ., ix} x Sj, 
are the sets of transitions of Mij, Mj respectively. The technical definitions of 
Mij, Ml in terms of {Sij,Pf |j Pj), (S')*, P,^ || . . . || P,^) are straightforward and are 
omitted (Section J describes the relevant operational semantics). Mij and Mj 
can be interpreted as ACTL structures. Mij gives the semantics of {S'fj,Pl || Pf) 
executing in isolation, and Mj gives the semantics of (>Sj , Pj^ || . . . || Pj^). Our 
main soundness result below (the large model theorem) relates the ACTL for- 
mulae that hold in Mj to those that hold in Mij . We characterize transitions in 
Ml as compositions of transitions in all the relevant Mij : 

Lemma 1. Q For all I-states s,t G Sj and i G {ii , . . . , ix}, s^t G Rj iff : 

Vj G I {i) : s'\ij -^t\ij G Rij and 

Vj, k G {ii, ...,ix}~ {*}, j / k : s\jk = t]jk. 

Lemma 2. Q Let J C I. If tt is a path in Mj, then 7rj"J is a path in Mj . 

In particular, when J = {(f,j)}, LemmaHforms the basis for our soundness 
proof, since it relates computations of the synthesized /-program to computa- 
tions of the pair-programs. 
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5.1 Deadlock-Freedom and the Wait-for-Graph 

The wait-for-graph in a particular /-state s contains as nodes every /-process, 
and every arc whose start state is a component of s. These arcs have an outgoing 
edge to every /-process which blocks them. 

Definition 2 (Wait-for-Graph lT7(s)). Let s be an arbitrary I-state. The 
wait-for-graph Wi{s) of s is a directed bipartite graph, where 

1. the nodes ofWi{s) are 

(a) the I -processes {P/ | i G {ii, . . . , iic}}, and 

(b) the arcs {a\ \ i G {ii, . . . , ix} and a\ G P/ and = af .start} 

2. there is an edge from P/ to every node of the form a\ in Wj{s), and 

3. there is an edge from a\ to Pj in Wi{s) if and only if (i,j) G / and 
af G Wi{s) and s}ij{af .guard j) = false. 

Here a\.guardj is the conjunct of the guard of arc a\ which references the state 
shared by Pi and Pj (in effect, APj and SHtj). We characterize a deadlock as 
the occurrence in the wait-for-graph of a supercycle: 

Definition 3 (Supercycle). SC is a supercycle in Wj{s) if and only if: 

1. SC is nonempty, 

2. if Pi G SC then for all a} such that a} G Wi{s), P/ — >a} G SC, and 

3. if a} G SC then there exists Pj such that a} — >Pj G W/(s) and a} — >Pj G 
SC. 

Note that this definition implies that SC is a subgraph of Wi{s). In Q, we give 
a criterion, the wait-for-graph assumption, which is evaluated over the product 
of a small number of processes, thereby avoiding state-explosion. We show there 
that if the wait-for-graph assumption holds, then Wi{s) cannot contain a super- 
cycle for any reachable state s of Mj. Furthermore, if Wj{s) does not contain a 
supercycle, then, in state s, there exists at least one enabled arc. These results 
extend to the setting of this paper. 

5.2 Liveness 

To assure liveness properties of the synthesized /-program, we assume a form of 
weak fairness. Let CL{f) be the set of all subformulae of /, including / itself. 
Let eXi be an assertion that is true along a transition in a structure iff that 
transition results from executing process i. Let eui hold in an /-state s iff P/ 
has some arc that is enabled in s. Our fairness criterion is the conjunction of 
weak blocking fairness and weak eventuality fairness (given below) and is defined 
as a formula of the linear time temporal logic PTL 

Definition 4 (Sometimes-Blocking, blkl,blki). An i-state Si is sometimes- 
blocking in Mij if and only if: 

3s° G 5° : Mij, s° ^ EF( |si|- A (3aJ G P- : {\a}. start} A ^a}. guard)) ). 
Also, blki = (V Isif : Siis sometimes-blocking in Mij), and blki=\/ ^^jf^^-^blk\. 
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Thus, a sometimes-blocking state is an i-state Si such that there exists a reach- 
able zj-state Sij in Mij satisfying Sij'li = Si and in which Pi blocks some arc a* 
of Pj. aj. start is the start state of a*, and a'-. guard is its guard. 

Definition 5 (Weak Blocking Fairness d)h). 

oo oo 

<^b = /\i^^i^^^^^^i^^G{blkiAerii)^ FeXi. 

Weak blocking fairness requires that a process that is continuously enabled and 
in a sometimes-blocking state is eventually executed. 

Definition 6 (Pending Eventuality, pndij). Let {i,j) G I. An ij-state stj 
has a pending eventuality if and only if: 

^fij ^ GJLi^speCij) : Alij^ sij ^ ^fij A AF/^j . 

Also, pndij = (V Isijf • Sij ® pending eventuality). 

In other words, Sij has a pending eventuality if there is a subformula of the pair- 
specification speCij which does not hold in Sij, but is guaranteed to eventually 
hold along every fullpath of Mij that starts in Sij. 

Definition 7 (Weak Eventuality Fairness 

oo oo oo oo 

— A(ij)6/(Gerzi V GeUj) A Gpndij F{eXi V exj). 

Weak eventuality fairness requires that if an eventuality is continuously pending, 
and one of Pf or Pj is continuously enabled, then eventually one of them will be 
executed. Our overall fairness notion <1> is then the conjunction of weak blocking 
and weak eventuality fairness: d) = <l>h A 

Definition 8 (Liveness Condition). For every {i,j) G I: 

OO 

Mij, Sij ^ AGA(Gea;i Gaenj), 
where aenj = Vo* G Pf : {\a^j.start\ ^ a j. guard). 

aeuj means that every arc of Pf whose start state is a component of the current 
global state s is also enabled in s. The liveness condition requires, for every 
pair-program {Sij,Pf || Pf), when executing in isolation, that if P( can execute 
continuously along some path, then there exists a suffix of that path along which 
Pf does not block any arc of Pf. Given the liveness condition and the absence of 
deadlocks and the use of <l>-fair scheduling, we can show that one of Pf or Pj is 
guaranteed to be executed from any state of the /-program whose zj-projection 
has a pending eventuality. 

Lemma 3 (Progress). Let (i,j) G L, and let s be an arbitrary reachable L- 
state. Lf 

1. the liveness condition holds, and 

2. for every reachable L -state u, Wi{u) is supercycle-free, and 

3. Mij, s\ij ^ -^hij A kFhij for some hij G CL(speCij), then 

Mi, s AF(ea;i V eXj). 
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5.3 The Large Model Theorem 

The large model theorem establishes the soundness of our synthesis method. 
It states that any subformula of pair-specification spec^ which holds in the ij- 
projection of an /-state s also holds in s itself. That is, correctness properties 
satisfied by a pair-program executing in isolation also hold in the /-program. 

Theorem 1 (Large Model). Suppose Mij,S^j ^ spec^j for some (i,j) G I. 
Let fij G CL{spec^j) , and let s be an arbitrary reachable I-state. If the liveness 
condition holds, and Wi{u) is supercycle- free for every reachable I-state u, then 

Mij, s]ij ^ fij implies Mi,s\=^ fij. 

The correctness properties we are usually interested in are those that hold in all 
initial states. The large model corollary states that if all pair-specifications hold 
in all initial states of their respective pair-programs, then all pair-specifications 
also hold in all initial states of the /-program. The “spatial modality” 
quantifies over all pairs (i,j) G /: Aij speCij is equivalent to f\(i j)^i ^P^^^ij- 

Corollary 1 (Large Model). If the liveness condition holds, and Wj{u) is 
supercycle-free for every reachable I-state u, then 

(V(i,j) G I ■■ Mij,S°^ h specij) implies AijSpeCi^. 



6 Example — Readers Writers 

In the readers-writers problem ^ a set of reader processes and a set of writer 
processes contend for access to a shared file. Mutual exclusion of access between 
readers and writers, and also between two writers, is required. Also, all requests 
by writers for access must eventually be granted (“absence of starvation”), and 
a writer’s request takes priority over a reader’s request. We specify the readers- 
writers problem in ACTL as follows: 

Local structure of both readers and writers (Pi is a reader or a writer): 

Nf. Pi is initially in its noncritical region 

AG(N, => (AX,T, A EX,Td) A AG(T, ^ AX,C,) A AG(C, ^ (AX.A^, A EX,N,)): 
Pi moves from Ni to Ti to Ci and back to W- Furthermore, Pi can 
always move from Ni to Ti and from Ci to Ni 
AQ{{Ni = -(T, V Cf)) A {Ti = ^{N, V C,)) A {Ci = ^{N, V Ti))): P, is always 
in exactly one of the states Ni (noncritical), Ti (trying), or Ci (critical) 

Reader-writer pair- specification (RPi is reader, WP j is writer): 

Local structure: The above local structure specification for both RPi and WPj 
AG{Ti =A AF{Ci V -^Nj)): absence of starvation for readers provided no writer 
requests access 

AG{Tj =A AFCj): absence of starvation for writers 

AG((Ti A Tj) =A A[riUCj]): priority of writers over readers for outstanding 
requests to enter the critical region 

AG(^((7i A Cj)): mutual exclusion of access between a reader and a writer 
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Writer-writer pair-specification (WPj, WPk are writers): 

Local structure: The above local structure specification for WP j and WPk 
AG(rj =4> AFCj) A AG(Tfc ^ AFCfc): absence of starvation for writers 
AG{^{Cj A Cfc)): mutual exclusion of access between two writers 

Interconnection Relation I: Let Kfi,Kw be the desired number of readers, 
writers respectively. Then I is given by RW U WW, where RW = {{RPi, WPj) \ 
i S [1 : Kfi], j G [1 : Kw\\ gives the interconnection between readers and writers, 
and WW = {{WPj, WPk) | j, fc G [1 : Kw],j ^ k} gives the interconnection 
between writers and writers. There is no interconnection between readers and 
readers. 

For each pair-specification, we synthesize a pair-program satisfying it, us- 
ing the synthesis method of FiguresJ^display the pair-programs for the 
reader-writer pair-specification, writer-writer pair-specification, respectively. Fi- 
nally, we apply Definition Jto synthesize the /-program with Kn readers and 
Kw writers, which is shown in Figure^ Correctness of the /-program follows im- 
mediately from Corollary^ since the conjunction of the pair-specifications gives 
us the desired correctness properties (formulae of the forms AG(pi ^ AXiqi), 
AG{pi EXiqi) are not in ACTLA, but were shown to be preserved in B, and 
the proof given there still applies here). 




WPi 




^ ^ true — >■ skip^ ^ ^kip ^ ^ 

true — > skip 




Fig. 1. Reader- writer pair-program RPi\\ WPj. 



WPi 




NkVCk^ skip © TV* V {Tk A Xjt = j) skip 
Tk ^ Xjk . k 



N, 




T, 




Cj 



true — > skip 



Nj V Cj 



WPk 







Nf 



skip © 
^jk ■— j 




Nj V (Tj A Xjk = k) ^ skip 



T, 




a 



true — >• skip 



Fig. 2. Writer- writer pair-program FFPj || WPk- 
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RPr 




0 ( true — >■ skip ) 

j£RW{i) 



WPj 




i€RW(j)U WW(j) 



® ( true — >■ skip ) 



Fig. 3. Many readers, many writers program {\\l<i<K^RP^)\\{\\l<J<K^WP,). 

7 Example — Two Phase Commit 

Our second example is a ring-based (non fault-tolerant) two-phase commit pro- 
tocol = Pq II P/ II • • • II P^-i, where I specifies a ring. Pq is the coordinator, 
and P/, 1 < i < n are the participants: each participant represents a transaction. 
The protocol proceeds in two cycles around the ring. The coordinator initiates 
the first cycle, in which each participant decides to either submit its transaction 
or unilaterally abort. P/ can submit only after it observes that P^_i has submit- 
ted. After the first cycle, the coordinator observes the state of P^-i- If P^-i has 
submitted, that means that all participants have submitted, and so the coordi- 
nator decides commit. If P^_i has aborted, that means that some participant 
P/ unilaterally aborted, thereby causing all participants Pj ,i < j < n — 1 to 
abort. In that case, the coordinator decides abort. The second cycle relays the 
coordinators decision around the ring. The participant processes are all similar 
to each other, but not similar to the coordinator. Hence, there are three dissim- 
ilar pair-programs to consider: P°_i || Pq~^, Pq || P°, and P^_^ || Pl~^ (which 
is replicated for each i from 2 to n — 1 inclusive). The pair-specifications are 
as follows. For brevity, we omit the obvious local structure specifications (see 
the previous section for an example of these). The formula / — > 5 abbreviates 
A[(/ =4> AF5 )Uw 5], which means that if / holds at some point along a fullpath, 
then g holds at some (possibly different) point. There is no ordering on the times 
at which / and g hold, f g abbreviates temporal leads to: AG[/ =^> AFg]. 

Pair- specification for P„_i || Po~^'- 

cmo — !■ sbn-i'. the coordinator decides commit only if participant n — 1 submits 
AF(cmo V abo): the coordinator eventually decides 

Pair- specification for Pq || Pf : 

AF(cmo V abo): the coordinator eventually decides 

cmi —>■ crriQ: participant 1 commits only if the coordinator decides commit 
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abo abi'. if the coordinator decides abort, then participant 1 aborts 
AG(^cmi V ^abi) A AG(cmi ^ AGcmi) A AG(a5i AGa6i): participant 1 
does not both commit and abort, and does not change its decision once 
made 

AG(sti EXia6i): participant 1 can abort unilaterally from it’s starting state 
AG[s5i => A[s5iU(s5i A (cmo V a5o))]]: once participant 1 submits, it does not 
decide until the coordinator first decides 

Pair- specification for Pi_i || Pl~^ , for 2 < i < n — 1: 
sbi —>■ sbi-i'. participant i submits only if participant i — 1 submits 
cnii — > cmi-i'. participant i commits only if participant i — 1 commits 
{crrii-i A sbi) cmf. if participant i submits and participant i — 1 commits, 
then participant i eventually commits 
abi-i — > abi'. if participant i — 1 aborts, then so does participant i 
AG(^cmi V -^abi) A AG(cmi ^ AGcmi) A AG{abi ^ AGabi): participant i does 
not both commit and abort, and does not change its decision once made 
AG[s5i ^ A[s6iU(s6i A (cmi_i V a6i_i))]]: once participant i submits, it does 
not decide until participant i — 1 first decides 
AG{sti ^ EXiobi): participant i can abort unilaterally from it’s starting state 

The pair-programs synthesized from the above pair-specifications are given 
in Figures m and| respectively, where termt = crrii V abi, and an incoming 
arrow with no source indicates an initial local state. They satisfy the liveness 
condition and the wait-for-graph assumption, and so TheoremHis applicable. 
The synthesized two phase commit protocol P^ is given in Figure^ We establish 
the correctness of P^ by the following deductive argument: 



1. 


cmo sbn-i 


LMT 


2. 


/\2<i<n(^^i sbi-i) 


LMT 


3. 


cmo Ai<i<uSbi 


1,2 


4. 


Ai<i<n(cmi ^ cmi-i) 


LMT 


5. 




3,4 


6. 


Al<i<n((c"i*-1 ^ Cmi) 


LMT 


7. 


V ^abi) A AG{cmi ^ AGcmi) 


LMT 


8. 


Ai<i<n AG[s6i A[s6iU(s5i A (cmi_i V a6i_i))]] 


LMT 


9. 


Ao<i<n-i(c"ii ^ A[s5i+iU(s6i+i A cmi)]) 


5, 7,8 


10. 


Ai<i<„-i((c”^i-i A sbi) {cmi A s6i+i)) 


6, 9 


11. 


cmo ^ Ai<i<n crrii 


3,6,7,9,10 



The formulae in the above proof hold in all initial states of Mj, the global state 
transition diagram of P^ . The notation LMT means that the formula is a con- 
junct of the pair-specifications, and then we used Theorem J to deduce that 
the formula also holds in Mj (i.e., for the /-program). A notation of some for- 
mula numbers means that the formula was deduced from preceding formulae 
using an appropriate CTL deductive system Q. Formula 11 gives a correctness 
property of two phase commit: if the coordinator commits, then so does every 
participant. Likewise, we establish abo —>■ Ai<i<n coordinator aborts. 
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then so does every participant. Finally, we establish AF(cmo V abo ) — the coordi- 
nator eventually decides — directly from the pair-specification for Pq || using 
Theorem I Note that ^ EXicbi) — every participant can abort 

unilaterally — also holds in M/ . 

The deductive argument we used to establish cmo required 

only five deductive steps (lines 3, 5, 9, 10, and 11). A completely manual cor- 
rectness argument for a two-phase commit protocol would be much longer. Our 
vision is that the large model theorem, in combination with automatic synthesis 
or model checking Q methods for verifying the correctness of pair-programs, per- 
forms most of the work in establishing behavioral properties of the synthesized 
/-program. Then, the use of a deductive system provides us with the flexibility 
needed to deduce the final desired correctness properties. 

Finally, we note the significant use of nested temporal modalities in both the 
above pair-specifications and the deductive proof (recall that the ACTL formula 
/ — > g is really an abbreviation for A[(/ ^ AFg)Uw5], which nests AF inside 
AUw)- This would not have been possible in the framework of p~|. 



true 




terrriQ 



terrriQ 



Fig. 4. Pair program || Pq 



8 Conclusions and Further Work 

We presented a synthesis method that deals with an arbitrary number of com- 
ponent processes without incurring the exponential overhead due to state explo- 
sion. Our method applies to any process interconnection scheme, does not make 
any assumption of similarity among the component processes, and preserves all 
pairwise and nexttime- free formulae of ACTL. We note that the method of im- 
plementing the synthesized programs on realistic distributed systems which was 
proposed in Q is also applicable to the programs that our new method produces. 

Further work includes dealing with fault-tolerance and real-time, and extend- 
ing the method to a more expressive notation where the nodes of a synchroniza- 
tion skeleton denote sets of local states rather than individual local states. 
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Fig. 5. Pair program Pq || 



true 




Fig. 6. Pair program P-_i || P- 
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Abstract. This paper presents a symbolic model checking algorithm 
for continuous-time Markov chains for an extension of the continuous 
stochastic logic CSL of Aziz et al The considered logic contains 
a time-bounded until-operator and a novel operator to express steady- 
state probabilities. We show that the model checking problem for this 
logic reduces to a system of linear equations (for unbounded until and the 
steady state-operator) and a Volterra integral equation system for time- 
bounded until. We propose a symbolic approximate method for solving 
the integrals using MTDDs (multi-terminal decision diagrams), a gener- 
alisation of MTBDDs. These new structures are suitable for numerical 
integration using quadrature formulas based on equally-spaced abscissas, 
like trapezoidal, Simpson and Romberg integration schemes. 



1 Introduction 

The mechanised verification of a given (usually) finite-state model against a 
property expressed in some temporal logic is known as model checking. For 
probabilistic systems, transition systems where branching is governed by dis- 
crete probability distributions, qualitative and quantitative model checking al- 
gorithms have been investigated extensively In a 

qualitative setting it is checked whether a property holds with probability 0 or 
1; in a quantitative setting it is typically verified whether the probability for a 
certain property meets given lower- or upper-bounds. For discrete-time systems, 
the quantitative approach has been investigated quite thoroughly: model check- 
ing algorithms have been developed for fully probabilistic transition systems 
like discrete-time Markov chains or generative transition systems, as 
well as for probabilistic systems that contain non-determinism 

In this paper we consider real-time probabilistic systems, that is, we con- 
sider the model checking problem for continuous-time Markov chains (CTMCs) 

* The first and second author are sponsored by the DAAD-Project AZ 313-ARG-XII- 
98/38 on stochastic modelling and verification. 
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that are at the basis of contemporary performance evaluation and reliability 
analysis methodologies. A branching-time logic called continuous-time stochas- 
tic logic (CSL) is used to express properties over CTMCs. This logic is an 
extension of the (equally named) logic by Aziz et al | with an operator to 
reason about steady-state probabilities: e.g. the formula asserts that the 

steady-state probability for a <?-state is at least p, for p G [0,1]. Apart from 
the usual path-formulas like next and until, a time-bounded until , for t a 
non-negative real, is incorporated, together with standard derivatives, such as a 
time-bounded eventually O^*. The usual path quantifiers V and 3 are replaced 
by the probabilistic operator 'P^p(.) for comparison operator [xi and p G [0, 1]. 
For instance, 7^<o.ooi(<>^'^ error) asserts that the probability for a system error 
within 4 time-units is less than 10“^. 

The model checking problem for CSL is known to be decidable | (for ra- 
tional time bounds), but to the best of our knowledge no algorithms have been 
considered yet to verify CTMCs automatically, let alone symbolically. This paper 
investigates which numerical methods can be adapted to “model check” CSL- 
formulas over CTMCs as models. We show that next and (unbounded) until- 
formulas can be treated similarly as in the discrete-time probabilistic setting. 
Checking steady-state probability-properties reduces to solving a linear equa- 
tion system combined with standard graph analysis methods, while checking the 
time-bounded until reduces to solving a (recursive) Volterra integral equation 
system. These integrals are characterised as least fixed points of appropriate 
higher-order functions, and can thus be approximated by an iterative approach. 

One of the major reasons for the success of model checking tools in practice 
is the efficient way to cope with the state-space explosion problem. A prominent 
technique is to adopt a compact representation of state spaces using (reduced 
ordered) binary decision diagrams, BDDs for short Q. This paper follows this 
line by proposing an alternative variant, referred to as multi-terminal decision 
diagrams (MTDDs), that is suited for the necessary real-time probability cal- 
culations. MTDDs are a novel generalisation of multi-terminal binary decision 
diagrams (MTBDDs also called algebraic decision diagrams Q), variants 
of BDDs that can efficiently deal with real matrices. MTBDDs (and MTDDs) 
allow arbitrary real numbers in the terminal nodes instead of just 0 and 1 (like in 
BDDs). Whereas MTBDDs are defined on boolean variables, MTDDs allow both 
boolean and real variables. This generalisation is suitable for numerical integra- 
tion — needed for time-bounded until — using quadrature formulas based on 
equally-spaced abscissas (i.e. interval points). This includes well-known methods 
like trapezoidal, Simpson and Romberg integration schemes Q- Due to their 
suitability for numerical integration, the potential application of MTDDs is much 
wider than model checking CTMCs. For the other temporal operators in CSL 
we show that slight modifications of the MTBDD-approach for discrete-time 
probabilistic systems B can be adopted. 

The paper introduces MTDDs, defines appropriate operators on them and 
presents a symbolic model checking algorithm for CSL using these structures. 
Although it is difficult to obtain precise estimates for the time complexity of 
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model checking using MTDDs (as with BDDs and MTBDDs), the success of 
(MT)BDD-based model checkers for large-scale examples (for BDDs and 
for MTBDDs provides sufficient evidence to investigate MTDDs for our 

setting. For instance, ^3 reports experimental results of the computation of 
steady-state probabilities for discrete-time Markov chains of over 10^^ states. 

Organisation of the Paper. Section H introduces the necessary concepts of 
CTMCs. Section ^presents the logic CSL and provides some useful character- 
isations of CSL-formulas that facilitate a model checking procedure. Section J 
introduces MTDDs, describes how CTMCs can be encoded as MTDDs, and 
presents several operators on these structures. Section ^ presents the approx- 
imative symbolic model checking algorithm. Finally, Section | concludes the 
paper. A (small) running example is used throughout the paper to illustrate the 
key concepts. 

2 Continuous-Time Markov Chains 

Basic Definitions. Let AP be a fixed, finite set of atomic propositions. A 
(labelled) continuous-time Markov chain (CTMC for short) is a tuple At = 
(S', Q,L) where S is a finite set of states, Q : S x S ^ BLjiO the generator 
matri^ and L : S ^ 2^^ the labelling function which assigns to each state 
s G S the set L{s) of atomic propositions a G AP that are valid in s. 

Intuitively, Q(s,s') specifies that the probability of moving from state s to 
s' within t time-units (for positive t) is 1 — an exponential distribu- 

tion with rate Q(s, s').IfQ(As') > 0 for more than one state s' , a competition 
between the transitions is assumed to exist, known as the race condition. Let 
= Ss'gS the total rate at which any transition emanating from 

state s is taken. This rate is the reciprocal of the mean sojourn time in s. More 
precisely, E(s) specifies that the probability of leaving s within t time-units 
(for positive t) is 1 — to the fact that the minimum of exponential 

distributions (competing in a race) is characterised by the sum of their rates. 
Consequently, the probability of moving from state s to s' by a single transi- 
tion, denoted P(s, s'), is determined by the probability that the delay of going 
from s to s' finishes before the delays of other outgoing edges from s; formally, 
P(s, s') = Q(s, s')/E(s) (except if s is an absorbing state, i.e. if E(s) = 0; in 
this case we define P(s, s') = 0). Remark that the matrix P describes an em- 
bedded discrete time Markov chain. (For a more extensive treatment of CTMCs 
see ^ 3 .) 

Example 1. As a, running example we consider AP = { a, 6 }, S = { sq, . . . , S 3 } 
with L{so) = 0, L(si) = { a }, L{s 2 ) = {b} and ^(sa) = {a,b}. The details of 
the CTMC are: 

^ Whereas usually the diagonal elements are defined as Q(s, s) = — Q('*i ^') 

allow self-loops. This does not affect the transient and steady state behaviour of the 
chain, but allows the standard interpretation of the next-state operator of the logic. 
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Q = 



/O 3 0 3' 
0 0 10 
0 0.5 0 0 
\0 0 0 2 , 



and E = 




Some transition probabilities are P(so, S3) = P(so, si) = i and P(si, S 2 ) = 1. 
A path is a (finite or infinite) sequence sq, to, si, ti, S 2 , ^ 2 , ■ ■ ■, written as 



to ti t2 

a — So ^ Si ^ S 2 ^ 



with for natural i, Si G S and U G M>o such that Q(si, s^+i) > 0, if cr is infinite. 
Otherwise, if cr = sq -^ .. . s/ is finite, we require that s/ is absorbing, and 
Q(si, Si+i) > 0 for all i < 1. For a a path, t G H>o and natural i let a[i] = Si, the 
i-th state of cr, (5(cr, i) = ti, the time spent in state Si, and cr(t) = sq for t < to, 
and cr(t) = a[i\ where i is the smallest index i with t ^ otherwise. 

(For cr a finite path with absorbing state s/, a[i] and 5{a, i) are only defined for 
i ^ I, S{a, 1) = 00 , and a{t) = si for t > ti + ... + t/_i.) Let Path(s) denote the 
set of paths in j\4 starting in s, and Reach(s) the set of states reachable from s. 

Borel Space. Let so,...,Sfc G S with Q(si,Si+i) > 0, (0 < i < k), and 
lo, . . . , Ik -1 non-empty intervals in Kj-q. Then, C{so, lo, ■ ■ ■ 1 Ik-i, Sk) denotes 
the cylinder set consisting of all paths cr G Path(so) such that a[i] = Si {i Gi k), 
and G h {i < k). Let tF(Path(s)) be the smallest cr-algebra on Path(s) 

which contains all sets C(s, /q, . . . , Ik-i, Sk) where so, . . . , Sk ranges over all se- 
quences of states such that s = sq and Q(si,Si+i) > 0 (0 ^ i < fc) and 
lo, . . . , Ik -1 ranges over all sequences of non-empty intervals in IR^iO. The prob- 
ability measure Pr on P(Path{s)) is the unique measure defined by induction on 
k by Pr(C(so)) = 1 and for fc ^ 0: 

Pr(C(so, ...,Sk, I', s') = Pr(C(so, . . . , Sfc)) • P{sk, s') • 
where a = inf /' and b = sup (For b = 00 and A > 0 let e~^'°° = 0.) 



3 The Continuous Stochastic Logic CSL 



Syntax. CSL is a branching-time, CTL-like temporal logic where the state- 
formulas are interpreted over states of a CTMC. It adopts operators of PCTL 
like a time-bounded until operator and a probabilistic operator asserting 
that the probability for a certain event meets given bounds. We treat a variant 
of the (equally named) logic of Q with, for reasons of simplicity, an unnested 
time-bounded until operator plus a novel steady-state probability operator. 

Definition 1. For a G AP, p G [0, 1] and cc G { ^, <, >, > }, the state-formulas 
of CSL are defined by the grammar 



a 









S[xip{d^) 



(p ::= tt 



P Mp(v^) 
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where for t € path-formulas are defined by 



ip ::= 



<PU<P 






The other boolean connectives are derived in the usual way, i.e. ff = ^tt, 

V = “'(^^^1 A -^<^2), and <Pi ^ < 1>2 — V <p2- The intended meaning 
of the temporal operators U (“until”) and X (“next step”) is standard. The 
temporal operator U is the real-time variant of A/ ; <^2 asserts that 

'PiU'p2 will be satisfied in the time interval [0,t]; i.e. there is some x G [0,t] 
such that <?i continuously holds during the interval [0,a;[ and d>2 becomes true 
at time instant x. The state formula S[>^p(^) asserts that the steady-state proba- 
bility for a <?-state falls in the interval = {g G [0,1] | g Mp}. 7 ^mp(</^) asserts 
that the probability measure of the paths satisfying p falls in the interval /^p. 

Temporal operators like O, □ and their real-time variants or can be 
derived, e.g. Vc^p(0^* = V[^p(ttU^* and V^p(O^) = V^i-p(0 For 

example, P^o.9g(^ (reg^ resp))) asserts that there is a probability of 

at least 99% that every request will be responded within the next 5 time-units. 

Semantics. The state-formulas are interpreted over the states of a CTMC. Let 
Xi = (S,Q,L) with proposition labels in AP. The definition of the satisfaction 
relation ^ C S' x CSL is as follows. Let Sat(<?) = {sGS|s^<?}. 



s ^ tt for all s G S s ^ A <?2 iff s [= i=l, 2 

s^a iff a e L(s) s j= S^p(^) iff 7Tgat(^>)(s) G I^^p 

s \= ^<d> iff s <d> V^p{p) iff Prob{s, p) G I^p. 

Here, 715/ (s) denotes the steady-state probability for S' C S wrt. state s, i.e. 
7’"S'(s) = lim Pr{ (7 G Path(s) | a(t) G S'}. 

t—*oo 

The limit exists, a consequence of S being finite Obviously, 715/ (s) = 
Ss'gS' 7Ts/(s), where we write 7 Ts/(s) instead of 7 T{s/}(s). We let 710(5) = 0. 
Prob{s, p) denotes the prob. measure of all paths a G Path(s) satisfying p, i.e. 

Prob(s, p) = Pr{ a G Path(s) \a \= p}. 

The fact that, for each state s, the set {a G Path(s) | cr ^ v?} is measurable, 
follows by easy verification. The satisfaction relation (also denoted ^) for the 
path-formulas is defined as usual: 

cr ^ X^ iff a[l] is defined and a[l] ^ 

a \= (hiU (1>2 iff 3fc ^ 0. {(j[k] ^ <^2 A VO ^ z < fc. a[i] [= <?i) 

cr ^ <l^iU^*<l>2 iff 3a; G [0, i\. (a(x) d>2 AVy G [0, x[. a{y) [= $1) . 

In the remainder of this section we present alternative characterisations for 
7Ts'(s) and Prob{s, p) that will serve as a basis for our model checking algorithm. 
Since the derivation of these characterisations from the theory of CTMCs and 
DTMCs is not much involved, proofs are omitted. 
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Computing Steady-State Probabilities. It is well known that the steady 
state probabilities exist for arbitrary CTMCs. For a strongly connected CTMC 
A 4 and (non-absorbing) state s', the steady state probability 7 ts(s') can be 
obtained by solving a linear equation system i.e. 



7 Ts(s') 



EsgS7^s(s)/E(s) 



where 7Tg(s") satisfies the linear equation system 



^ s") ■ such that ^ 7i‘g(s) = 1. 

sGS sGS 



For the general case we reformulate this as follows. Let G be the underlying 
directed graph of M where vertices represent states and where there is an edge 
from s to s' iff Q(s, s') > 0 . Sub-graph B is a bottom strongly connected com- 
ponent (bscc) of G if it is a strongly connected component such that for any 
s G B, Reach(s) C B. We have 7 Ts/(s) = 0 iff s' does not occur in any bscc 
reachable from s. Let i? be a bscc of G with Reach(s) H B ^ 0 (or equivalently, 
B C Reach(s)) and assume that as is an atomic proposition such that as G L{s) 
iS s G B. Then Oqb is a path-formula in CSL and Prob{s, OB) = Prob{s, Oqb) 
is the probability of reaching B from s at some time t. For s' G B, 7 Ts/(s) is given 
by 7Ts/(s) = Prob{s, OB) ■ 7Tb(s') where 7Tb(s') = 1 if i? = {s'}, and otherwise 



7 Tb(s') 



^^(^')/E(s') 

Esgb’^b(s)/E(s) 



for which 7Tg(s") satisfies the linear equation system 



P(sj s") • 7Tg(s) such that '^b(s) = 1- 

seB seB 



Example 2 . Consider 5>o.5(^^) where "P = (aAb) V V^o.siaU'^'^ b), for the CTMC 
of Example^ Note that the CTMC is not strongly connected, since e.g. S3 cannot 
be reached from S2 (and vice versa). Assume that (p is valid in states S2 and S3, 
and invalid otherwise (as we will see later on). Then we have sq ^ 5>o.5(^), 
since from sq both the bscc B\ = {S3} and the bscc B2 = {si,S2} can 
be reached with probability P(sq,S 3 ) = P(so,S2) = 1/2, and S2 has a non- 
zero steady-state probability in i?2. Thus, the steady-state probability for (p 
exceeds 0 . 5 . Formally: sat{-P){so) = 7 T{ } (so) = 7T52 (so) -I- 7Ts3(so) where 

’^82(^0) = Prob{so,OB2) ■ 7 Tb 2 (s 2 ) and 7 Ts 3 (so) = Prob{so,OBi) ■ 7 Tbi(s 3 ). We 
have Prob{so, OBi) = Prob{so, OB2) = 1 / 2 , nB^iss) = 1 , and obtain n'g^{s2) = 
1/2 by solving the equation system tt'b^{s2) = 71^3(51), 7 t' 3 ^(si) = 7 t' 3 ^(s 2 ), 
’’’32(^2) = 1 - Subsequently, calculation of ^32(^2) yields 2 / 3 . Thus, 
7 T{ S2.S3 }(so) = 1/2 ■ 2/3 -I- 1/2 • 1 = 5/6 which indeed exceeds 0 . 5 . 

Computing Prob{s,(p). The basis for calculating the probabilities Prob{s,(p) 
is the following result. 
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Theorem 1. For s G S, t G and <F,<Fi,<F 2 state-formulas in CSL; 

1. Prob{s,X<P) P(s,s')- 

2. The function S — > [0, 1], s i— > Prob{s,‘FiU <^ 2 ) is the least fixed point of the 
higher-order operator O : {S ^ [0, 1]) ^ {S ^ [0, 1]) wher^ 

f 1 if S\=<P2 

0{F){s) = I P(s, s') • F{s') ifs^T>^A ^T >2 

I 0 otherwise. 

3. The function S x M^o [Oil]; (s,t) Prob{s,<Pih(^* T> 2 ) is the least fixed 
point of the higher-order operator 17 : (S' x M^q — > [0, 1]) ^ (S x M^q 

[ 0 , 1 ]) wher^ 

(I if s\=<p2 

l7(F)(s, ^) = S Es'gs Q(s, s') • fg • F(s', t-x) dx if s'^T'ih ^^2 

[ 0 otherwise. 

The first two results of Theorem^are identical to the discrete-time probabilistic 
case, cf. This entails that model checking for these formulas can be 

carried out by well-known methods: 

— (Pro6(s, 7f<?))sgs can be obtained by multiplying the transition probability 
matrix P with the (boolean) vector i,i> = (z^(s))sgS characterising Sat{d>), 
i.e. zg>(s) = 1 if s ^ and 0 otherwise. 

— {Prob{s,d>iU <1>2))sgS can be obtained by solving a linear equation system 
of the form x = P • x + where P(s, s') = P(s, s') if s ^ A ^<^2 and 0 
otherwise. Prob{s, T‘iUT‘ 2 ) is the least solution of this set of equations. Note, 
however, that this system of equations can, in general, have more than one 
solution. The least solution can be obtained by applying an iterative approx- 
imative method or a graph analysis combined with standard methods (like 
Gaussian elimination) to solve regular linear equation systems. The worst 
case time complexity of this step is linear in the size of ip and polynomial in 
the number of states. 



Example 3. Consider our running CTMC example, <F — (aAb) V V^o.siaU’^^ b) 
and suppose we want to check si \= <P. It follows from Q(si,S 2 ) = 1 that 
the probability of reaching 6-state S 2 from si within two time-units equals 
1 — « 0.864664. Formally, we have S 2 H since S 2 1= 6, and si ^ d>, 

since si ^ a A 6 and using Theorem Jwe have that Prob{s \ , b) equals 



^ Q(si,s') 
s'es 




■ F{s' , 2—x) dx 



’^dx = [ 






-2 



which exceeds 0.8. 

^ The underlying partial order on S — > [0,1] is defined for F\, F 2 : S ^ [0,1] by 
Fi < F 2 iff Fi(s) < F 2 {s) for all s. 

® The underlying partial order on S x IR^o — > [0, 1] is defined for Fi, F 2 : S x IR^o — > 
[0, 1] by Fi ^ F 2 iff Fi(s,t) ^ F 2 {s,t) for all s,t. 
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The last result of Theorem Q is due to the fact that the probability density 
function of the sojourn time in state s is given by E(s) • The result- 

ing recursive integral formula can be reformulated into a heterogeneous linear 
differential equation of the form 

y'(t) = Q-y(t) -f h{t) 

where y{t) denotes the vector {Prob{s,(l>iU ^*<1>2 ))sgS, and Q is derived from 
Q, byQ(s, s') =Q(s, s') if s, s' \= <I>i A and otherwise Q(s, s') = 0. The 
vector hit) = {bs{t))seS is given by bfft) = J 2 s'^Sat{<i> 2 ) «') ’ 

if s \= <l>i A ^<1>2, and otherwise bfft) = 0. The vector (Pro6(s, Z-f ^*<? 2 ))sgS 

agrees with the following solution of the above heterogeneous linear differential 
equation: 

y{t) = + y 

Unfortunately, it is not clear (at least to the authors) how to obtain a closed so- 
lution for the above integral. Using a numerical approximation method instead is 
also not an accurate way out, essentially because known approximative methods 
for computing e'^^ (for some square matrix A) are instable, yet computationally 
expensive For that reasons, our algorithm to compute Prob{s, <Pi <^ 2 ) is 
directly based on the last result of Theorem H The result suggests the following 
iterative method to approximate Prob{s,<PiU'^' <^ 2 )- let Fo{s,t) = 0 for all s, t 
and Ffc-i-i = ^(Fk). Then, 

lim Ffc(s,t) = Prob{s,<l>iU^* < 1 ^ 2 )- 

k—^oo 

(The general nested time-bounded until in Q can be treated in a similar way.) 
Each step in the iteration amounts to solve an integral of the following form: 

Fk+i{s,t)= [ Q(s, s') ■ ■ Fk{s',t-x) dx, 

•'o s'gS 

if s ^ A -^d> 2 - These integrals can be solved numerically based on quadrature 
formulas of the type 



• b(a;) dA where ^ 

/ fc =0 



.b N 

/ f{x) dx Ki aj ■ f{xj) 

j=o 

with interval points Xq, . . . ,Xn G [a, 5] and weights ag, . . . ,ajv that do not de- 
pend on / (but may be on N). In our model checking algorithm we focus on 
equally-spaced abscissas, i.e. Xj = a + j ■ h where h = {b—a)/N. Well-known 
methods applied in practice, like trapezoidal, Simpson, and Romberg integration 
schemes belong to this category ^3- For instance, for the trapezoidal method 
Oig = un = ^ and at = h for 0 < i < N . 
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4 Multi-terminal Decision Diagrams 

BDDs and MTBDDs. While (ordered) binary decision diagrams (BDDs) are 
data structures for representing boolean functions / : { 0, 1 ^ { 0, 1 }, multi- 
terminal BDDs (MTBDDs also called algebraic decision diagrams Q) allow 
terminals to be labelled with values of some domain D (usually IR or [0, 1]), i.e. 
they represent functions of the type / : {0,1}" — > D. The main idea behind 
the MTBDD representation is the use of acyclic rooted directed graphs for a 
simplified (more compact) representation of the (binary) decision tree which 
results from the Shannon expansion: /(6 i, . . . , bn) = (1— f*i) ■ /(O, 62, , bn) + 

bi ■ /(I, 62, . ..,bn). 

For model checking discrete-time Markov chains against PCTL-formulas 
it has been shown that MTBDDs can be effectively used These techniques 

can potentially be adapted to our continuous-time setting, but are not able to 
cope with numerical integration, a technique needed for the time-bounded un- 
til operator of CSL with the iterative method sketched above. Therefore, we 
introduce a variant of MTBDDs that is focussed on dealing with numerical in- 
tegration. 

MTDDs. Multi-terminal decision diagrams (MTDDs) are a variant of MT- 
BDDs that yield a discrete representation of real-valued functions whose ar- 
guments are either boolean variables (called state variables, since they represent 
the encoding of states) or real variables (called integral variables, since they 
represent variables over which numerical integration takes place). For instance, 
MTDDs can represent functions of the type { 0, 1 }" x IR ^ K. For the state 
variables, the aforementioned Shannon expansion is used. For an integral vari- 
able X, a finite set { Xq, . . .,Xn} is chosen from the range of x. The function 
(. . . ,x, . . .) I— > /(..., a;, .. .) is represented by the function values /(..., xj, . . .), 
for 0 ^ j ^ N. To accomplish this, we use a representation of / that is based 
on a discrete fragment of the decision tree where the branches for the integral 
variables represent the cases where 

Formally, with each integral variable x (over interval [0, f]) the following com- 
ponents are associated: (i) a natural number JV(x) that denotes the number of 
abscissas of x, (ii) a set of abscissas where absj{x) denotes the j-th abscissa, 
(iii) a range rng{x) = { abso(x), ■ ■ ■ , a&S7v(x)(x) }? and (iv) a number of weights 
wtj (x) for J ^ N{x), and 0 < j < J. The basic idea is that this representation 
facilitates numerical integration based on the quadrature formula: 

f f{x) dx wf^{x) ■ f{absj{x)) 

Jo 

where absj{x) = Xj = j ■ h for step-size h = t/N{x). This corresponds to a 
quadrature formula in which the interval points absj{x) are equally- spaced ab- 
scissas 13. 

For state variable z, we define rng(z) = { 0, 1 } and N{z) = 1. Let < be a 
fixed total order on Var, the set of state and integral variables, such that z < x 
for all state variables z and integral variables x. 
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Definition 2. A multi-terminal decision diagram (MTDD) over (Var, <) is a 
rooted acyclic directed graph with vertex set V containing 3 types of vertices: 

— each state vertex v is labelled by a state variable var{v) and has two children 
childo{v), childi{v) S V . 

— each integral vertex v is labelled by an integral variable var{v) = x and a nat- 
ural number epnt{v) ^ -/V(x), (endpoint) and has iV(x)-|-l children childo{v), 

. child N^y,){v). 

— each terminal vertex v is labelled by a real number val(v), 

such that var{v) < var(w) for each non-terminal vertex v and non-terminal child 
w of v. 

(For Var = {vi, . . . , v„} with < v^+i we refer to an MTDD over (Var, <) as 
an MTDD over (vi, . . . , v„).) The constraint on the labelling of the non-terminal 
vertices is standard for (ordered) BDDs, and requires that on any path from the 
root to a terminal vertex, the variables respect the given ordering <. An MTDD 
M over (vi,...,v„) represents a partial function /m, the values of which are 
obtained by traversing M starting at the root vertex as follows. For state vertex 
v, the edge from v to childo{v) represents the case var{v) is false; the edge from 
v to childi{v) the case var{v) is true. For integral vertex u, the edge from v 
to child j(y) stands for the case where the value of the real variable var(y) = x 
is absjfx.). The value epnt{v) is needed to perform the operator Integrate 
(defined below). If epnt{v) = J then in vertex v the range of integration is [0, xj\ 
where xj = a&sj(x)| For efficiency reasons, an implementation will internally 
represent MTDDs in a reduced form Q, a compact and canonical representation. 

The relationship between BDDs, MTBDDs and MTDDs is as follows. An 
MTBDD is an MTDD without integral vertices; a BDD is an MTBDD with 
val{v) € { 0, 1 } for all terminal vertices v. 

Remark 1. Note that an MTDD over (Var, <) is also an MTDD over (Var\ <') 
for any superset Var' of Var and total order <' on Var' such that Vi < V 2 iff 
Vi <' V 2 for all Vi, V 2 G Var. 

Encoding CTMCs by MT(B)DDs. In BDD-approaches transition systems 
are symbolically represented by encoding states by bit vectors, and encoding 
the transition relation by its characteristic function. To represent the generator 
matrix of a CTMC by a MTDD we abstract from the names of the states, and 
instead, similar to Q, use binary tuples of atomic propositions that are true in 
that state. Using this scheme, CTMCs are encoded as MTDDs as follows. Let 
M = (S', Q,L) be a labelled CTMC. We assume that |S| = 2” and that the 
labelling function L is injective. (Any labelled CTMCs may be transformed into 
one satisfying these conditions by adding dummy states and new propositions.) 

^ In our model checking procedure, for any integral vertex v with var{v) = x and 
epnt(v) — J < N{x), the branches representing the cases where x = Xj and j > 
epnt{v) (i.e. the edges to the children childj(v)) are not of importance. Accordingly, 
we may assume that any integral vertex v with epnt{v) = J has exactly J-l-1 children 
childo{v ), . . . , childj{v). 
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We fix an enumeration oi, . . . , a„ of atomic propositions and identify each state 
s with the boolean n-tuple (5i,...,5„) where 5^ = 1 iff G L{s). In what 
follows, we assume that S = {0,1}” where we identify each state s with its 
encoding and the generator matrix Q with the function F : {0,1 }^” — > IR 
where F(zi, z{, . . . , z„, z'„) = Q((zi, . . . , z„), (z{, . . . , z^)). We represent M by 
the MTBDD Q for Q over (zi, z{, . . . , z„, z^), in other words /q = F. Note that 
Q does not contain integral variables and hence is a MTBDD. 

Example 4-. Consider the CTMC of ExampleH According to the above scheme 
we encode the states by sq 00, si 01, S 2 10 and S 3 11. The function 
F = fq and the MTDD Q are given by: 

F(0,l,0,l) = 3 
F(0,0,0,l) = 3 
F( 0 , 1 , 1 , 0)=1 
F(l, 0,0,1) = 0.5 
F(l,l,l,l) = 2 
F(zi, Z 2 , z' 2 ) = 0 otherwise 

where dotted lines denote zero-edges and solid lines one-edges. 

Operators on MTDDs. The symbolic model checking algorithm in this pa- 
per uses several operators on MTDDs that are slight modifications of equivalent 
operators on BDDs Q and MTBDDs For space reasons we only briefly 

describe these operators and focus on the new operators, in particular substitu- 
tion and computing integrals. As it is standard in the BDD setting, hash tables 
can be used to generate a reduced MTDD during its construction. 

— Combining MTDDs via binary operators. Operator Apply allows a point- 
wise application of the binary operator op (like summation or multiplication) 
to two MTDDs. For MTDDs Mi and M 2 over (vi, . . .,v„), Apply(Mi, M 2 , op) 
yields an MTDD M over (vi, . . ., v„) for the function /m = /mi op 

— Variable renaming. Operator Rename changes the variable labelling of any 
Vi-labelled vertex of MTDD M over (vi, . . . , v„) into w, for w 7 ^ Vj, 0 < } ^ n. 
Rename(M, Vi, w) yields a MTDD over (vi, . . . , Vi_i, w, Vi+i, . . . , v„). 

— Restriction. For state variable \/i = z and boolean 5, Restrict(M, z, 6 ) de- 
notes the MTDD over (vi, . . . , Vi_i, Vi+i, . . . , v„) that is obtained from M by 
replacing any edge from a vertex v to an z-labelled vertex w by an edge from 
V to childb(w), followed by removing all z-labelled vertices. In a similar way, 
Restrict(M, X, a;j) is defined for Vi = x an integral variable, 0 ^ j ^ 

and Xj = absj{x). 

— Comparison operators. Given MTDD M without integral vertices and over 
n state variables, and interval I, Compare(M,/) is the BDD representing 
the function that equals 1 if /ivi(5i, . . . , bn) G I and 0 , otherwise. 

— Matrix/vector multiplication. Let MTBDDs Q and B without integral ver- 
tices over 2n and n state variables, respectively, represent the matrix Q 
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and vector b. Then Multi(Q, B) denotes the MTBDD over n variables that 
represents the vector Q • b. This operator can easily be modified for MT- 
DDs. E.g. if Q is a MTDD over (vi, . . . , v„, Wi, . . . , w^) and B a MTDD over 
(wi, . . . ,Wm) then MULTI(Q, B) represents the function 

(vi, . . ,,v„) i-> ^ /q(vi, . . .,v„,wi, . . ,,w^) • /b(wi, . . .,w^). 

Wi 

— Substitution. Let M be a MTDD over (vi , . . . , v„) where v„ = x is an integral 
variable with N{x) = N and assume y yf for all i. Assume that for any 
x-labelled vertex in M we have epnt(v) = N. Then Subst(M, y, x) denotes 
the MTDD over (vi, . . . , v„_i, y, x) which represents the partial function that 
equals /m (. . . , y— x) for 0 < x < y and is undefined otherwise. Subst(M, y, x) 
results from M by replacing any x-labelled vertex v by the subgraph depicted 
as: 




In the figure (visualising the decision tree instead of the reduced MTDD), 
children are depicted from left to right and vertices childi{v'j) where i > j are 
omitted. Here fj = v al {child j{v)) for 0 ^ j ^ N. More precisely, new vertices 
u', v'l, . . are introduced with var{v') = y, var{vj) = x, child j{v') = u' , 
epnt{v') = N and epnt{vl) = j. 

— Computing integrals. Let v„ = x be an integral variable with N{x) = TV, 
rng{x) = { a;o, ■ ■ • j } and wtj (x) = Then, Integrate(M, x) denotes 
the MTDD over (vi, . . . , v„_i) that results from M by replacing any x- 
labelled vertex v with epnt{v) = J by the terminal vertex labelled by 



.7 

Uj ■ val {child j{v)) 

3=0 

where Oq = 0. | Thus, if epnt{v) = N{x) for each x-labelled vertex v 
in M then Integrate) M, x) represents an approximation of the function 
(•••)^/o/M(---,x)dx. 

Besides the described operators on MTDDs, our model checking algorithm uses 
methods for boolean combinators and for a BDD-based graph analysis, e.g. to 
obtain the bottom strongly connected components of the graph underlying a 
CTMC, and MTBDD-based methods for solving linear equation systems, e.g. to 
compute the probabilities 7 Ts/(s). For these algorithms we refer to 

® Note that we assume that x = v„; hence v„ is the largest in the variable ordering, 
and the children of a x-labelled vertex are terminal vertices. 
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5 Symbolically Model Checking CSL 

Our symbolic model checking algorithm for CSL works as follows. Let A4 = 
{S, Q, L) be a CTMC which is represented by a MT(B)DD Q over 2n variables 
as explained in the previous section. For each CSL-state-formula <P we define a 
BDD Sat|<?] over (zi, . . . , z„) that represents the characteristic function of the 
set Sat(<?); for each CSL-path formula we define a MTBDD PR| ip ] represent- 
ing the function s Prob{s, p). By applying standard operators on MTBDDs 
we determine the MTBDDs P, representing the transition probability matrix P 
of Ai, and SP representing the steady-state probabilities 7 Ts/(s) for s, s' G S. 
Sat|<?] is defined as follows: 

Sat|tt] = 1 

Sat|ai] = the BDD for the boolean function (zi, . . . , z„) i-^ z^ 
Satl^^l = -Sat|^l 
Sat|<?i A <^2! = Sat|<?i] A Sat|<?2l 
Sat| 5 [x]p(^)] = COMPARE(MuLTi(SP,Sat|<?]'),/^p) 

Sat|'P^p((p)l = Compare(PR|v2],/^p). 

Here, 1 denotes the BDD consisting of a single, terminal vertex labelled by 1. 
Sat|ai] is a BDD consisting of a single state- vertex v labelled with z^ such that 
childo{v) and childi{v) are labelled with 0 and 1, respectively. Sat|<?]' denotes 
Sat|<?] where z^ is renamed into z' (using nested applications of Rename). The 
definition of Sat|iS^p(<?) ] is justified by the characterisation of '!rsat(^){s) in 
Section H 

MTBDD PR|(p] is defined by induction over the structure of ip. For p = X<P 
and p = d>iU <? 2 , the MTBDD PR|(p] can be obtained in the same way as for 
the discrete-time probabilistic case Q. This follows directly from the first two 
clauses of Theorem ^ For the time-bounded until-operator we define: 

PR| (|>i <P 2 1 = BoundedUntil(Q, Sat| <Pi ] , Sat| <Z> 2 1 , L kmax, e) 

where kmax indicates the maximum number of iterations and e is the maximum 
desired tolerance of the approximation. The algorithm for BoundedUntil is 
listed in TableJ Here, Fq represents the first approximation Fo{s,t) = 0. First 
the MT(B)DD H for the function iL(s, s', x) = Q(s, s') • is constructed. 

This requires as input the MTBDD-representations of E that can easily be ob- 
tained from the MTDD Q representing the generator matrix (cf. Section H. X 
consists of a single, integral vertex labelled by x with iV-|-l terminal vertices 
labelled with the values xq, . . . , xn- Here we assume that N is sufficiently large. 
In the first five steps of the iteration, the MTDD-representation of F^+i is con- 
structed systematically. More precisely, represents (approximations) for the 
values Fk{s,Xj) (0 ^ ^ N) where Xj = j ■ h and h = t/N. I' represents the 

function f\i{s',y,x) = Fk{s' ,y—x). MTDD J represents the function 



/j(s, s', y, x) = Q(s, s') • e • Ffc(s', y-x). 
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algorithm BoundedUntil (Q, Bi, B 2 , t, femax, e) : 
begin Fq 0; k 0; 

H := Apply(Q, Apply(E,X, (gi,g2) 

repeat 



I := SuBST(Ffc,x,y); 

J Apply(FI, I', •); 

K Multi(J, 1); 

L := RENAME(lNTEGRATE(K,x),y,x); 

Ffc+i := Apply(Apply(L, Bi, mm), B 2 , max)-, 
Dfc+i := ApPLY(Ffc+i, Ffc, — ); 



Ak+i ■■= maxjj.j 






k := k + I; 



until {k = kmax or Ak ^ e)-, 

if Ak ^ e then return RESTRlCT(Ffc, x, t) else return error-, 



end. 



Table 1. Algorithm for BoundedUntil 



For this, we consider J as the MTDD representation of a matrix whose rows are 
indexed by triples (s, y, x), and whose columns are indexed by s'. Matrix-vector 
multiplication with 1, the MTDD over , z'^) that represents the constant 

function s' >—>■ 1, yields MTDD K over (zi, . . . , z„, y, x) representing 

/k(s, y,x) = s', y, x). 

s’eS 



By Integrate(K, x) the integrals /k(s, xj, x)dx are approximated by • 

/k(s, Xj, Xj). For generating the MTDD F^+i that represents function (s, a;) i-^- 1 
if s ^ (s, x) ^ /l(s, a;) if s ^ a ^<^2 and (s, a;) i-^- 0 otherwise, we use the 

fact that Ffc+i(s, a;) = max{ min{ /sat[g>i ] (s), /l(s, a;) }, /sat[g>2 ] (s) }■ 

Finally, after the calculation of Ffc+i, the result is compared with the result 
of the previous iteration, by an inspection of the terminal nodes of Dfc+i which 
represents the difference between Ffc and Ffc+i. The iteration is finished if either 
the indicated maximum number of iterations is reached, or the tolerance of an 
“acceptable” approximation results. 



Example 5. Consider our running example and check si V^o.s{aW^^ b). We 
assume that N equals 4 and adopt the trapezoidal method for numerical integra- 
tion. The MTBDD Q is the same as in Ex- 
ample O In ths first iteration we obtain for 
Fi a single state vertex v labelled Zi with 
childi(v) = 1 , the terminal vertex labelled 1. 

In the second iteration we obtain the MTDD 
F 2 depicted on the rigth. Here ni = i • -F 



1 . „-0.5 

2 ^ 

na = T • e 



^2 = 4 
-0_L 1 
2 



.-0 

,-0.5 



^-0.5 






1 

2 

^- 1.5 



, and 
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714 = I • ^ ® + e~^ + e“^ ®) + | • e“^. The third iteration reveals that 

F 3 = F 2 , so the algorithm finishes and returns R = Restrict(F 3 , x, 2), obtained 
from F 3 by replacing the subgraph starting in vertex x by the terminal vertex with 
label 774 « 0.882604. Finally, Compare(R, /. jo.s) reveals that b) is 

indeed violated in si. Increasing the number of abscissas increases the accuracy: 
e.g. fV = 64 leads to 0.8647350 as an approximation for 1 — e“^. 

6 Concluding Remarks 

We have presented a symbolic model checking algorithm for verifying properties 
stated in CSL over continuous-time Markov chains. The basis of this model 
checking procedure is a characterisation of time-bounded until in terms of a 
Volterra integral equation system that can be solved by iteration. To solve the 
integrals in a symbolic way we generalised MTBDDs into multi-terminal decision 
diagrams (MTDDs) and presented suitable operators on these structures that 
facilitate a numerical integration using quadrature formulas based on equally- 
spaced abscissas. Due to their suitability for numerical integration, the potential 
application of MTDDs is much wider than model checking CTMCs. 

An important direction for future research is the implementation of the pro- 
posed algorithm that should provide evidence about the adequacy of our ap- 
proach. Amongst others, the size of intermediate MTDDs is unclear yet, and 
we want to compare our technique with standard methods to extract perfor- 
mance measures from Markov chains [y. In fact, CSL and the algorithm can 
be generalised such that transient and steady state measures are expressible and 
can be approximated. We also plan to consider CTMCs that may contain non- 
determinism, like stochastic transition systems or interactive Markov chains 
. We believe that by extending our approach with schedulers in a 
similar way as for the discrete-time probabilistic case this is feasible. 

Acknowledgement. We thank Markus Siegle for discussion about our initial ideas 
concerning MTDDs. Ed Brinksma provided valuable comments on an earlier version. 
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Abstract. We present an in-depth discussion of the relationships be- 
tween synchrony and asynchrony. Simple models of both paradigms are 
presented, and we state theorems which guarantee correct desynchro- 
nization, meaning that the original synchronous semantics can be recon- 
structed from the result of this desynchronization. Theorems are given for 
both the desynchronization of single synchronous programs, and for net- 
works of synchronous programs to be implemented using asynchronous 
communication. Assumptions for these theorems correspond to proof 
obligations that can be checked on the original synchronous designs. If 
the corresponding conditions are not satisfied, suitable synchronous mini- 
programs which will ensure correct desynchronization can be composed 
with the original ones. This can be seen as a systematic way to generate 
“correct protocols” for the asynchronous distribution of synchronous de- 
signs. The whole approach has been implemented, in the framework of 
the SACRES project, within the Sildex tool marketed by TNI, as well 
as in the Signal compiler. 



1 Introduction 

Synchronous programming has been proposed as an efficient approach 

for the design of reactive and real-time systems. It has been widely publicized, 
using the idealized picture of “zero time” computation and instantaneous broad- 
cast communicationjH. Efficient techniques for code generation and verification 
have resulted 

Criticisms have been addressed to this approach. It has been argued that, 
very frequently, real-life architectures do not obey the ideal model of perfect syn- 
chrony. Counter-examples are numerous: operating systems with multi-threading 
or multitasking, distributed architectures, asynchronous hardware, etc. 

However, similarities and formal links between synchrony and asynchrony 
have already been discussed in the literature, thus questioning the oversimplified 
vision of “zero time” computation and instantaneous broadcast communication. 
Early paper | informally discussed the link between perfect synchrony and 
token-based asynchronous data-flow networks, see in particular section V therein. 
The first formal and deep study can be found in It establishes a precise 

* This work is or has been supported in part by the following projects: Esprit R&D- 
SACRES (Esprit project EP 20897), Esprit LTR-SYRF (Esprit project EP 22703). 

Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 162-^^| 1999. 
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relation between so-called well-clocked synchronous functional programs and the 
subset of Kahn networks amenable to “buffer-less” evaluation. 

Distributed code generation from synchronous programs requires to address 
the issue of the relationship between synchrony and asynchrony in a different 
way. Mapping synchronous programs to a network of automata, communicat- 
ing asynchronously via unbounded FIFOs, has been implemented for the Lustre 
language and formalized in ^3. Mapping Signal programs to distributed ar- 
chitectures was proposed in^^JJ, based on an early version of the theory 
we present in this paper. The SynDEx tool ^3^] also implements a similar 
approach. Recent work on the POLIS system proposes to reuse the “construc- 
tive semantics” approach for the Esterel synchronous language, with CFSM 
(Codesign Finite State Machines) as a model for synchronous machines which 
can be desynchronized; this can be seen as a refinement of although the 
referred model of asynchrony is not fully stated. 

Independently, another approach relating synchrony and asynchrony has 
been followed. In it is shown how nondeterministic Signal programs 

can be used to model asynchronous communication media such as queues and 
buffers. Reactive Modules Q were proposed as a synchronous language for hard- 
ware modeling, in which asynchrony is emulated by the way of nondeterminism. 
Although this is of interest, we believe this approach is not suited to the anal- 
ysis of true asynchrony, in which no notion of global synchronization state is 
available, unlike for synchrony. 

In this paper we provide an extensive, in depth, analysis of the links between 
synchrony and asynchrony. Our vision of asynchrony encompasses distributed 
systems, in which no global synchronization state is available, and communica- 
tions/actions are not instantaneous. This extension allows us to handle incom- 
plete designs, specifications, properties, architectures, and executable programs, 
in a unified framework, for both synchronous and asynchronous semantics. 

In section^we informally discuss the essentials of synchrony and asynchrony. 
Synchronous Transition Systems are defined in section^ and their asynchronous 
counterpart is defined in section ^ where also desynchronization is formally 
defined. The rest of the paper is devoted to the analysis of desynchronization 
and its inverse, namely resynchronization. 

2 The Essentials of the Synchronous Paradigm 

There have been several attempts to characterize the essentials of the syn- 
chronous paradigm With some experience and after many attempts to 

address the issue of moving from synchrony to asynchrony (and back), we feel 
the following features are indeed essential for characterizing this paradigm: 

1. Programs progress via an infinite sequence of reactions: P = i?“, where R 
denotes the family of possible reaction^ 

^ In fact, “reaction” is a slightly restrictive term, as we shall see in the sequel that “re- 
acting to the environment” is not the only possible kind of interaction a synchronous 
system may have with its environment. 
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2. Within a reaction, decisions can be taken on the basis of the absence of 
some events, as exemplified by the following typical statements, taken from 
Esterel, Lustre, and Signal respectively: 

present S else 'staf 
y = current x 
y := u default v 

The first statement is self-explanatory. The “current” operator delivers the 
most recent value of x at the clock of the considered node, it thus has to 
test for absence of x before producing y. The “default” operator delivers 
its first argument when it is present, and otherwise its second argument. 

3. Parallel composition is given by taking the pairwise conjunction of associated 
reactions, whenever they are composable: Pi 11^2 = (Pi A ^ 2 )"^- Typically, 
if specifying is the intention, then the above formula is a perfect definition 
of parallel composition. In contrast, if programming is the intention, then 
the need for this definition to be compatible with an operational semantics 
complicates very much the “when it is defined” prerequisite 

Of course, such a characterization of the synchronous paradigm makes the class of 
synchronous formalisms much larger than usually considered. But it has been our 
experience that these were the key features for the techniques we have developed 
so far. Clearly, this calls for a simplest possible formalism with the above features, 
on which fundamental questions should be investigated: The design of the STS 
formalisn| described in the next section has been guided by these objectives. 

Keeping in mind the essentials of the synchronous paradigm, we are now 
ready to discuss informally how asynchrony relates to synchrony. Referring to 
pointsHH andHabove, the following can be stated about asynchrony: 

1. Reactions cannot be observed any more: since no global clock exists, global 
synchronization barriers which indicate the transition from one reaction to 
the next one are no more observable. Instead, a reliable communication 
medium is assumed, in which messages are not lost, and for each individual 
channel, messages are sent and received in the same order. We call a flow the 
totally ordered sequence of values sent or received on a given communication 
channel. 

2. Absence cannot be detected, and thus cannot be used to exercise control. 

3. Composition occurs by means of unifying each flow shared between two 
processes. This models in particular the communications via asynchronous 
unbounded FIFOs, such as those in Kahn networks. Rendez-vous type of 
communication can also be abstracted in this way. 

Synchrony and asynchrony are formalized in sections ^ and ^ respectively. Sec- 
tion^details how these results can be put into practice. 

^ For instance, most of the effort related to the semantics of Esterel has been directed 
toward solving this issue satisfactorily 

® We thank Amir Pnueli for having proposed this formalism, in the course of the 
SACRES research project, as a minimal framework capturing the paradigm of perfect 
synchrony. 
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3 Synchronous Transition Systems (sTs) 

Synchronous Transition Systems fSTS/ We assume a vocabulary V which is a 
set of typed variables. All types are implicitly extended with a special element 
_L, interpreted as absence. Among the types we consider, there are the type of 
•pure signals with domain {t}, and the boolean type with domain {t, f} (recall 
both types are extended with the distinguished element _L). We define a state s 
to be a type-consistent interpretation of V, assigning a value to each variable. 
We denote by S the set of all states. For a subset of variables V CV, a y-state 
is a type-consistent interpretation of V. Thus a Wstate s assigns a value s[u] to 
each variable v in set V ; the tuple of values assigned to the set of variables V is 
denoted by s[y]. 

We define a Synchronous Transition System (STS) to be a tuple <P = {V, 0, p) 
consisting of the following components: y is a finite set of typed variables, 0 is 
an assertion on Wstates characterizing the set of initial states {s|s ^ 6 *} and p is 
the transition relation relating past and current l/-states, s~ and s, by referring 
to both pas| and current values of variables in V. For example the assertion 
a; = a;“ -I- 1 states that the value of a; in s is greater by 1 than its value in s~ . If 
(s“, s) ^ p then we say that state s~ is a p-predecessor of state s. 

Runs. A run a : sq, si, S 2 , . . . is a sequence of states such that sq ^ 0 A Vz > 
b 5 15 ^ P- 

Composition. The composition of two STS = <Ti || <d >2 is defined as follows: 
<? = {V = U V 2 , 0 = 01 A 02 , p = Pi f\ P 2 ). The composition is thus the 
pairwise conjunction of initial and transition relations. It should be noticed that, 
in STS composition, interaction occurs through common variables only. 

Notations for STS. For the convenience specification, STS will have a set of 
reactive variables written I 4 , implicitly augmented with associated auxiliary 
variables: the whole constitutes the set V of variables. We shall use the following 
generic notations in the sequel: 

— b,c,v,w, . . . denote reactive variables, and 6, c are used to refer to variables 
of boolean type. 

— for u a variable, hy S {t, T} denotes its clock: [hy T] [u A -L] 

— for V a reactive variable, ^y denotes its associated state variable, defined by: 

if hy then fy = v else fy = 

Values can be given to sq[^«] as part of the initial condition. Then, fy is 
always present after the first occurrence of v. Finally, therefore 

“state variables of state variables” need not be considered. 

^ Usually, variables and primed variables are used to refer to current and next states. 
This is equivalent to our present notation. We have preferred to consider s~ and s, 
just because the formulas we shall write mostly involve current variables, rather than 
past ones. Using the standard notation would have resulted in a burden of primed 
variables in the formulas. 
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As modularity is desirable, every STS should be permitted to do nothing while 
its environment is possibly working. This feature has been yet identified in the 
literature and is known as stuttering invariance or robustness For a STS 

'P, stuttering invariance is defined as follows: If cr = sq, si, S 2 , ... is a run of P, 
so is 

— Sq, J-Sp , . . . , J_sq , Si , , . . . , , S2, J-S2 , . . . , J_s2 , ■ ■ ■ 

0< #{-L.„} <oo 

where, for s an arbitrary state, symbol J_s denotes the silent state associated 
with s, defined by 



Vt; G K : 



= _L 



meaning that state variables are kept unchanged whenever their associated reac- 
tive variables are absent. It should be noticed that stuttering invariance allows 
for runs possessing only a finite number of present states. We shall require in 
the sequel that all STS we consider are stuttering invariant. They should indeed 
satisfy: (s“, s) \= p => (s“,Ts-) |= pand(Ts-,s) |= p. When this condition is 
not satisfied, we extend p minimally so that stuttering invariance is satisfied. By 
convention, we shall simply write T instead of Tg when mentioning a particular 
state s is not required. 



4 Desynchronizing STS, and Two Fundamental Problems 

From the definition of a run of a STS, we can say that a run is a sequence of 
tuples of values in domains extended with the extra symbol T. Desynchronizing 
a run amounts to discarding the synchronization barriers defining the successive 
reactions. Hence, for each variable v G V, we only know the ordered sequence of 
present values. Thus desynchronizing a run amounts to mapping a sequence of 
tuples of values in domains extended with the extra symbol T, into a tuple of 
sequences of present values, one sequence per variable. This is formalized below. 

For (7 = So, si, S 2 , . . . a run of P, we decompose state Sfc as Sfc = (sfc[u])„gy. 
Thus we can rewrite run a as follows: a = ((r[T])„gv, where a[v] = sq[u], s ![■(;], 
..., Sfc[z;], .... Now, each a[v] is compressed by deleting those Sfc[u] that are 
equal to T. Formally, let ko,ki,k 2 , ■ ■ ■ be the subsequence of k = 0,1,2,... 
such that Sk[v] yf T. Then we set: (t“ = {a°‘[v\)y(zv, where a°‘[v\ = Sfco[ri], 
Sfci['y]j Sfc 2 [i;], .... This defines our desynchronization mapping a i — > (t“, and 
each a°‘[v] = Sfco[ri], Sfc, [ti], Sfc 2 [i;], ... is called a flow in the sequel. 

The asynchronous abstraction of a STS P = {V, O, p), is defined as follows: 

=def (F , (1) 

where E°’ is the family of all (asynchronous) runs (t“, with a ranging over the 
set of (synchronous) runs of P. For Pi = {Vi, Oi, pi) ,i= 1, 2, we define: 

r v = ViuV2 
= Sf A“ Af 



II a P 2 =def (F,A“) , where 



(2) 
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and A“ denotes conjunction of sets of asynchronous runs, which we define now. 
For (t“ G = 1)2, we say that (t“ and erf unifiable, written erf c<i“ erf, 

if the following condition holds: Vt; G Vj n V 2 : erf [t;] = erf [r;] . If erf and erf are 
unifiable, then we define er“ =def erf A“ erf as: 

Vt; G 1^1 n Vf : 0"“ [■y] = erf [t;] 

Vt; G Vi \ Vf : 0-“ ['y] = erf [t;] 

G Vf \ Vi : er“ [ti] = erf [r;] 

Finally, is the set of the so defined er“. Thus asynchronous composition 
proceeds via unification of shared flows. 

Synchrony vs. Asynchrony? At this point two natural questions arise, namely: 

Question 1 (Desynchronizing a Single STSf. Is resynchronization feasible 
and uniquely defined? More precisely, is it possible to reconstruct uniquely a 
synchronous run er of our STS from a desynchronized run er“? 

Question 2 (Desynchronizing a Communication) . Does communication be- 
have equivalently for both the synchronous and asynchronous compo- 
sitions? More precisely, does the following property hold: 

n lu n = II ‘^' 2 )“ ? (3) 

If question Jhad a positive answer, then we could desynchronize a run of the 
considered STS, and then still recover the original synchronous run. Thus a pos- 
itive answer to question J would guarantee that the synchronous semantics is 
preserved when desynchronization is performed on a single STS. 

On the other hand, if questionjhad a positive answer, then we could inter- 
pret our STS composition equivalently as synchronous or asynchronous. 

Unfortunately, neither J nor ^ have positive answers in general, due to the 
possibility of exercising control by the way of absence in synchronous composition 
II . In the following section, we show that questionsHandHhave positive answers 
under certain sufficient conditions, in which the two notions of endochrony (for 
pointj and isochrony (for point^ play a central role. 

5 Endochrony and Re-synchronization 

5.1 Formal Results 

In this section, we use notations from section^ For an STS = (V,0,p), and 
s a reachable state of <P, the clock-abstraction of s (denoted by s^) is defined as 
follows: 

Vv gV : s^[u] G {T,T}, and s^[t] = T <tA s[t] = T (4) 

For a STS = {V,0,p), s~ a reachable state for <?, and W' C IF C U, we 
say that W is a clock inference of W given s~ , written W ^s- tF, if for 
each state s of reachable from s“, knowing the presence/ absence and actual 



= CTn T 
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value carried by each variable belonging to W', allows us to determine exactly 
the presence/ absence of each variable belonging to W. In other words s\W'] 
uniquely determines s^[VP]. 

If both W ^s- and W' ^s- W 2 hold, then W' ^s- {W\ U W 2 ) 
follows, thus there exists a greatest W such that W ^s- ^ holds. Hence we 
can consider the unique maximal increasing sequence of subsets of V, for a given 

s", 

0 = y(O)^^_ 1/(1) 1/(2) (5) 

in which, for each fc > 0, V{k) is the greatest set of variables such that V{k — 
1) ^s- V{k) holds. As 0 = H(0), y(l) consists in the subset of variables that 
are present as soon as the considered STS gets activated or which are always 
absent in successor states of s~ . Of course sequence must become stationary 
at some finite fcmax: I^(fcmax + 1) = l^(fcmax)- In general, we only know that 
I^(fcmax) O V. Sequence Q is called the synchronization sequence of in state 
s~ . 

Definition 1 (Endochrony). A STS 'P is said to be endochronous if, for each 
reachable state s~ ofP, E(fc„iax) = V, i.e., if the synchronization sequence: 

0 = E(0) E(l) ^(2) ^s- ■ ■ ■ converges to V (6) 

Condition Q expresses that presence/ absence of all variables can be inferred 
incrementally from already known values carried by present variables and state 
variables of the STS in consideration. Hence no test for presence/ absence on the 
environment is needed. The following theorem justifies our approach: 

Theorem 1. Consider a STS <P = {V, 0, p). 

1. Conditions (a) and (b) given below are equivalent: 

(a) (p is endoehronous. 

(b) For each 5 S 17“ , we can reconstruct the corresponding synchronous run 
a such that (t“ = S, in a unique way up to silent reactions. 

2. Let us assume P is endochronous and stuttering invariant. If P' = {V,0,p') 
is another endochronous and stuttering invariant STS then 

(<^')“ = ^ ^ (7) 

Proof. We prove successively pointsH^^ndH 

1. We consider a previous state s~ and prove the result by induction. We pick 
out a (5 € E°‘, and assume for the moment that it can be decomposed in: 

■^1 5 "^2 5 ■ ■ ■ 5 (8) 

^ "V 

initial segment of <7 of length n 



i.e., into a sequence of length n, made of non-silent states Si (the head of 
the synchronous run a we wish to reconstruct), followed by the tail of the 
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asynchronous run 6, which we denote by S„, and we assume that such a 
decomposition is unique. Then we claim that 

Q is also valid with n substituted by n + 1. (9) 

To prove Q, we note that, whenever STS is activated in the considered 
state, the presence/ absence of each variable belonging to V^(l) is known. By 
assumption, the state resulting from clock-abstraction, having 

V{\) as variables, is uniquely determined. In the sequel we write sjj_|_2(l) 
for short instead of s^_|_i[y(l)]. Thus, presence/ absence of variables for state 
s„+i(l) is known, the values carried by present variables still have to be 
determined. 

For any r; S Vi , we simply take the value carried by the minimal element of 
the sequence associated with variable v vci 5n- Values carried by correspond- 
ing state variables are updated accordingly. Thus we know the presence or 
absence and the value of each individual variable in state s„ +i(l). 

Next we move on constructing s„+i(2). From s„+i(l) we know Thus 

we know how to split V2 into present and absent variables for the considered 
state. We pick up the present ones, and repeat the same argument as before 
to get s„+i(2). 

Repeating this argument until V(k) = V for some finite k (by endochrony 
assumption), proves claim Q. 

Given the initial condition for 6, we get from Q, by induction, the desired 
proof that faj => (b). 

We shall now prove (h) (a). We assume that is not endochronous, and 

show that condition (b) cannot be satisfied. If is not endochronous, there 
must be some reachable state s~ for which sequence does not converge 
to V . Thus, again, we pick out a (5 G decomposed in the same way as in 
formula Q: 



■^1 5 "^2 5 ■ ■ ■ 5 

" . ^ 

n— initial segment of <t 



and we assume in addition that s„ = s“, the given state for which en- 
dochrony is violated. We now show that Q is not satisfied. Let fc* > 0 be 
the smallest index such that V{k) = V{k + 1), we know Vk, yf V. Thus 
we can apply the algorithm of case reconstructing the reaction, until 

variables of 14,. Then presence/ absence for variables belonging to V \ 14, 
cannot be determined based on the knowledge of variables belonging to I4, . 
This means that there exist several possible extensions of -I- 1) and 

the (n -|- l)-th reaction is not determined in a unique way. Hence condition 
(b) does not hold. 

2. Let us assume is endochronous, and consider as in pointHof the the- 
orem. As both and are stuttering invariant, point ^is an immediate 
consequence of point^ ^ 



170 



Albert Benveniste, Benoit Caillaud, and Paul Le Guernic 



Comments. 

1. Endochrony is not decidable in general. However, it is decidable for STS only 
involving variables with finite domains of values, and model checking can 
be used for that. For general STS, model checking can be used, in combi- 
nation with abstraction techniques. The case of interest is when the chain 
E(0), E(l), . . . does not depend upon the particular state s~, and we write 
simply V(k) V(k + 1) in this case. This abstraction yields to a sufficient 
condition of endochrony. 

2. The proof of this theorem in fact provides an effective algorithm for the on- 
the-fly reconstruction of the successive reactions from a desynchronized run 
of an endochronous program. 

( C OUNTER- ) EXAMPLES . 

Examples: 

— a single-clocked STS. 

— STS “if b = T then get u”, where b,u are the two inputs, and b is 
boolean. The clock of b coincides with the activation clock for this STS, 
and thus E(l) = {6}. Then, knowing the value for b indicates whether 
or not u is present, thus V{2) = {b, u} = V. 

Counter-example: STS “if ([ present a] || [ present 6]) then . . .” is not 

endochronous, as the environment is free to offer any combination of pres- 
ence/absence for the two inputs a,b. Thus 0 = y(0) = y(l) = V{2) = 
c 

. . . ytz V, and endochrony does not hold. 



5.2 Practical Consequences 

A first use of endochrony is shown in the following figure: 







In this figure, a pair (<?i, <^2) of STS is depicted, with W as the set of shared 
variables. Their composition is rewritten as follows: <Pi || <p2 = || 'Pi, 2 || "^2, 

where is the restriction of <Pi || <p2 to W, hence <f'i_2 models a synchronous 
communication medium. We obtain by using property <l> \\ < 1 ^ = <P for every STS 
<P: 



<Pl II j>2 = (^1 II II ( 'Pi, 2 II ^2 = <Pl II <p 2 (10) 

This model of communication medium 2 is endochronous, and composition 
(Pi II <?2 is implemented by the (equivalent) composition || <p2- Since all runs of 
'Pi, 2 are also runs of and the former is endochronous, then communication can 
be equivalently implemented according to perfect synchrony or full asynchrony. 







From Synchrony to Asynchrony 171 



This answers question Q however it does not extend to networks of STS 
involving more than two nodes. The following figure shows a counter-example: 




% % 



Transition systems 'I'l and 'P2 are assumed to be endochronous. Then com- 
munication between <l>i and on the one hand, and and <^2 on the other hand, 
can be desynchronized. Unfortunately, communication between and <p2 via 
cannot, as it is not true in general that •f'l || 'P \\ is endochronous. The problem 
is that endochrony is not compositional, hence even ensuring in addition that 
P itself is endochronous does not work out. Thus we would need to ensure that 
Pi,p2 as well as •f'l || P || P2 are all endochronous. This cannot be considered 
as an adequate solution when networks of processes are considered. Therefore 
we move on introducing the alternative notion of isochrony, which focusses on 
communication, and is compositional. 

6 Isochrony, and Synchronons/Asynchronons 
Compositions 

The next result addresses the question of when property Q holds. We are given 
two STS Pi = {Vi, 0 i, Pi) ,i = 1 , 2 . Let W = Ui n V2 be the set of their common 
variables, and P = Pi || P2 their synchronous composition. For each reachable 
state s of P, we denote by si =def s[ti] and S2 =def s\V2] the restrictions of 
state s respectively to P\ and p2- It should be reminded that, for i = 1 , 2 , Si is 
a reachable state of Pi. Corresponding notations s“,s^,s^ for past states are 
used accordingly. 

Definition 2 (Isochrony). Let (Pi,p2) be a pair of STS and P = P\ || P2 
he their parallel composition. Transitions of Pi,i = 1 , 2 , are written (s~,Si). 
The following conditions (i) and (ii) are defined on pairs ((s^ , si), (s^ , S2)) of 
transitions of (Pi,p2): 

(i) 1 . sf = s“[Vi] and sf = s“[V2] holds for some reachable state s~ ofP, in 

particular and sf are unifiable; 

2 . none of the states Si,i = 1,2 are silent on the common variables, i.e., it 

is not the case that, for some i = 1 , 2 : = T holds for all v G W ; 

3 . Si and S2 coincide over the set 0/ present common variable^ i.e.: 

Vu e IF : ( Si [z;] yf T and S2 [u] yf T ) => si [u] = S2 [u] ; 

(ii) States si and S2 coincide over the whole set of common variables, i.e., states 
Si and S2 are unifiable, i.e.. 

Si = s[Vi] and S2 = s[V2] holds for some reachable state s for . 

The pair {P\,p2) is said to be isochronous if and only if for each pair {{sf,si), 
{sf , S2)) of transitions of (Pi,p2), condition (i) implies condition (ii). 

® By convention this is satisfied if the set of present common variables is empty. 
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Comment. Roughly speaking, condition of isochrony expresses that unifying 
over present common variables is enough to guarantee the unification of the two 
considered states si and S 2 . Condition of isochrony is illustrated on the following 
figure: 




s^[w] sjw] 



The figure depicts, for unifiable previous states , the corresponding 

states si,S 2 where (s“,Si) is a valid transition for <Pi. The figure depicts the 
interpretation of si (circle on the left) and S 2 (circle on the right) over shared 
variables W. White and dashed areas represent absent and present values, re- 
spectively. The two left and right circles are superimposed in the mid circle. In 
general, vertically and horizontally dashed areas do not coincide, even if si and 
S 2 unify over the subset of shared variables that are present for both transitions 
(double-dashed area). Pictorially, unification over double-dashed area does not 
imply in general that dashed areas coincide. Isochrony indeed requires that uni- 
fication over double-dashed area does imply that dashed areas coincide, hence 
unification of si and S 2 follows. 

The following theorem justifies introducing this notion of isochrony. 

Theorem 2. 

1. If the pair (<?i,<? 2 ) is isoehronous, then it satisfies property Q). 

2. Conversely, we assume in addition that 4>i and 4>2 are both endochronous. 
If the pair (<?i,<? 2 ) satisfies property Q, then it is isoehronous. 

Thus, isochrony is a sufficient condition of property Q), and it is also in fact 
necessary when the components are endochronous. 

Comments: 

1. We have already discussed the importance of enforcing property Q. Now, 
why is this theorem interesting? Mainly because it replaces condition Q, 
which involves infinite runs, by condition (i) ^ (ii) of isochrony, which only 
involves pairs of reactions of the considered pair of STS. 

2. CommentHc^bout endochrony also applies for isochrony. 

Proof. We successively prove points 1 and 2. 

1. Isochrony Implies Property Q. The proof proceeds from two steps: 

1. Let be the desynchronization of <I>, defined in equation B, and 5 G E°‘ be 
an asynchronous run of . There is at least one corresponding synchronous 
run (T of such that 5 = a°“ . Any such a is clearly the synchronous com- 
position of two unifiable runs cti and (T 2 for and <? 2 > respectively. Hence 
associated asynchronous runs (t“ and cr^ are also unifiable, and their asyn- 
chronous composition (t“ A“ belongs to Sf A“ Thus we always have 
the inclusion: 



<^1 lU ^2 2 (^1 II ^ 2 ) 



( 11 ) 
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Proving Q now amounts to the proof of the converse inclusion. So far we 
have only used the definition of desynchronization and asynchronous com- 
position, isochrony has not yet been used. 

2. Proving the opposite inclusion, requires to prove that, when moving from 
asynchronous composition to the synchronous one, the additional constraints 
resulting from a reaction-per-reaction matching of unifiable runs will not 
result in rejecting pairs of runs that otherwise would be unifiable in the 
asynchronous sense. This is where isochrony is used. 

A pair (^i,<52) of asynchronous runs is picked out such that ixi“ 52- 
they can be combined with the asynchronous composition to form some 
run (5 = (5i A“ 82 (cf. Q). By definition of desynchronization (cf. section 
Q, there exist a (synchronous) run a\ of <?i, and a (synchronous) run &2 of 
<? 2 , such that 5i is obtained by desynchronizing (jj, i = 1,2 (as we do not 
assume endochrony at this point, run <7^ is not uniquely determined). Thus 
each run Ui is a succession of states. Clearly, inserting finitely many silent 
states between successive states of Oi would also provide valid candidates for 
recovering bi after desynchronization. We shall show, by induction over the 
set of runs, that: 



properly inserting such silent states in the appropriate component 
produces two runs which are unifiable in the synchronous sense. 



( 12 ) 



This means that, from a pair (Ji, 62) such that (5i [xi“ 62, we can reconstruct 
(at least) one pair (ai,a2) of runs of and <^2 that are unifiable in the 
synchronous sense, and thus it proves the converse inclusion: 

-Pi lU <Z>2 C (<^>1 II <Z>2)“ . (13) 

From and we then deduce property Q. Thus we move on proving 
1^3 by induction over pairs of runs. 

Let (cti, (T 2 ) be a pair of runs of and <? 2 - the induction hypothesis is: 

(t“ [xi“ (T 2 3(pi, P 2 ) runs of<?i and<? 2 , s.t. (t“ = andpi [xi p2 (14) 

Let us assume that holds for every pair of runs of ordinal strictly less 
than that of (cri,cr 2 ) and that (t“ and (T2 ^'r^ asynchronously composable. 
These two runs may start with infinitely or finitely many silent states over 
the common variables W, therefore three cases may occur: 

Case 1 : Both runs contain some non silent state over W, therefore they 
can be decomposed as follows: cti = si_i, . . . and (T 2 = 

S 2 ,ij ■ ■ ■ S 2 ,fc 2 j S 2 ,fc 2 +i) 0 ’ 2 , where the first k\ states of cti and the first ^2 
states of (72 are all silent over W and si,fcj+i, S 2 ,fc 2 -i-i are both non- 
silent over W. We concentrate on those variables v & W that are present 
in both states and S 2 ,fc 2 +i- As cr“ [xi“ erf holds, then we must 

have si_fcj+i[u] = S2,k2+i['v] for any such v. Thus points and H of 
condition (i) of isochrony are satisfied. Hence, by isochrony, and 

S 2 ,fc 2 -i-i are indeed unifiable in this case. Moreover cr(“ [xi“ a'2 and since 
the ordinal of (crjjCrf) are strictly less than that of (( 71 ,( 72 ), induction 
hypothesis ^3 holds, and there exists (pi , pf ) a pair of composable runs 



174 



Albert Benveniste, Benoit Caillaud, and Paul Le Guernic 



such that i = 1, 2. We now define two runs by inserting silent 

states in ai and a 2 '. 

Pi = si.i, . . . si^ki, J-, ■ -L ,si^ki+i,Pi 

hi silent states 

P2 = S2,l, ■ • ■ S2,fc2, J-, .-L ,S2,fc2+l,P2 

silent states 

Where hi = max(0, fc 2 — fci), ^2 = rnax(0, ki — k 2 ). The first max(fci, ^ 2 ) 
states of Pi and p 2 are composable because they are silent over W. 
Recall that and S 2 ,k 2 +i are composable states and that ixi p' 2 . 

Therefore pi and p 2 are composable and pf = af. 

Case 2 : Both runs cti = sip, . . . . . and (T 2 = S 2 ,i, ■ • -S 2 ,i, ■ ■ ■ are silent 

over W. Therefore they are synchronously composable. 

Case 3 : One of the two runs (Ti, (T 2 is silent over W, while the other contains 
a non-silent state. This violates the left-hand part of the implication in 
the induction hypothesis ^3: (t“ [xi“ erf does not hold. 

This proves that induction hypothesis 1^3 holds for runs (cti, (T 2 ). By induc- 
tion principle it also holds for every pair of runs. 

2. Under Endochrony of the Components, Property Q Implies Isochrony. From 
TheoremHwe know that, in our proof of pointjof theorem^ the synchronous 
runs (Ti are uniquely defined, up to silent states, from their desynchronized coun- 
terparts af. If isochrony is not satisfied, then, for some pair (erf, erf) of unifiable 
asynchronous runs , and t heir decompositions erj = (sij)j>o, i = 1,2, of them, it 
follows that points^^Hof condition (i) of isochrony are satisfied, and there ex- 
ists n > 0 such that states and S 2 ,n are not unifiable. As our only possibility 
is to try to insert silent states in the two com pone nts our process of incremental 
unification on a per reaction basis fails. Thus ^3 is violated, and so is property 
Q. This finishes the proof of the theorem. O 

An interesting immediate byproduct is the extension of these results on 
desynchronization to networks of communicating synchronous components: 

Corollary 1 (Desynchronizing a Network of Components). Let 

i'Pk)k=l,...,K be a family of STS. Let us assume that each pair {<Pk,'^k') is 
isochronous, then: 

1. For each disjoint subsets I and J of set {!,..., K}, the pair 

( \\k^i<l>k, ( 15 ) 

is isochronous. 

2. Also, desynchronization extends to the network: 

{■Pi II ... II PkT = P‘1 iu ... WaP'i, . (16) 

Proof. 1 . It is sufficient to prove the following restricted case of : 

{'P,Pi) and {'P,p 2 ) are isochronous =A {'P,Pi |1 P 2 ) is isochronous (17) 
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as ^3 follows via obvious induction on the cardinality of sets / and J. Thus 
we focus on proving Let (s“,s) and be two pairs of successive 

states of S' and || <p2 respectively, which satisfy condition (i) of isochrony, 
in definition H Let t be the composition (unification) of the two states si 
and S2 of and <!>2, respectively. By point 2 of (i), at least one of these two 
states is not silent, and we assume si is not silent. From point 3 of (i), s and 
Si coincide over the set of present common variables, and thus, since pair 
(S', <l>i) is isochronous, states s and si coincide over the whole set of common 
variables of and <Pi. Thus s and si are unifiable. But, on the other hand. 
Si and S 2 are also unifiable since they are just restrictions of the same global 
state t of <?i II <? 2 - Thus s tate s s and t are unifiable, and pair (>F, <?i || <^ 2 ) is 
isochronous. This proves 1^3 . 

2. The second statement is proved via induction on the number of components: 

II ... II <pKr=i{<i>i II ... II <i>K-i) II II ... II lu 

and the induction step follows from 1^3 . O 

( C OUNTER- ) EXAMPLES . 

Examples: 

— a single-clocked communication between two STS. 

— the pair {^1,^2) of formula 1^9 . 

Counter-example: Two STS communicating with one another through two 
unconstrained reactive variables x and y. Both STS exhibit the following 
reactions: x present and y absent, or alternatively x absent and y present. 



7 Getting gals Architectures 

In practice, only partial desynchronization of networks of communicating STS 
may be considered. This means that system designers may aim at generating 
Globally Asynchronous programs made of Locally Synchronous components com- 
municating with one another via asynchronous communication media — this is 
referred to as GALS architectures. 

In fact, theorems ^and^provide the adequate solution to this problem. Let 
us assume that we have a finite collection <Pi of STS such that 

1. each (Li is endochronous, and 

2. each pair is isochronous. 

Then, from corollaryjand theorem^ we know that 

(<^>1 II ... II d>Kr = <P^i lu ... iu<z>^ 

and each is in one-to-one correspondence with its synchronous counterpart 
(Pk- Here is the resulting execution scheme for this GALS architecture: 

— For communications involving a pair {<l>i,(Lj) of STS, each flow is preserved 
individually, but global synchronization is loosened. 

— Each STS <Li reconstructs its own successive reactions by just observing its 
(desynchronized) environment, and then locally behaves as a synchronous 
STS. 

— Finally, each <L>i is allowed to have an internal activation clock which is 
faster than communication clocks. Resulting local activation clocks evolve 
asynchronously from one another. 
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8 Conclusion 

We have presented an in depth study of the relationship between synchrony and 
asynchrony. The overall approach consists in characterizing those networks of 
STS which can be safely desynchronized, without semantic loss. Actual imple- 
mentation of the communications only requests that 1/ message shall not be 
lost, and 2/ messages on each individual channel are sent and delivered in the 
same order. This type of communication can be implemented either by FIFOs 
or by rendez-vous. 

The next questions are: 1/ how to test for endo/isochrony? and, 2/ if such 
properties are not satisfied, how to modify the given network of STS in order to 
guarantee them? It turns out that both points are easily handled on abstractions 
of synchronous programs, using the so-called clock calculus which is part of the 
Signal compiler. We refer the reader to for additional details. Enforcing 

endo/isochrony amounts to equipping each STS with a suitable additional STS 
which can be regarded as a kind of “synchronization protocol”. When this is 
done, desynchronization can be performed safely. 

This method has been implemented in particular in the Sildex tool for the 
Signal language, marketed by TNI, Brest, France. It is also implemented in the 
Signal compiler developed at Inria, Rennes. 
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Abstract. In this paper, we address the issue of reachability analysis for 
Petri nets, viewed as automata with counters. We show that exact reach- 
ability analysis can be achieved by treating Petri nets integer variables 
(counters) as real-valued variables, and using Fourier-Motzkin procedure 
instead of Presburger elimination procedure. As a consequence, one can 
safely analyse Petri nets with performant tools, e.g. FIyTech, originally 
designed for analysing automata with real- valued variables (clocks). We 
also investigate the use of meta-transitions (iterative application of a 
transition in a single step) and give sufficient conditions ensuring an ex- 
act computation in this case. Experimental results with FIyTech show 
an impressive speed-up with respect to previous experiences performed 
with a Presburger arithmetic solver. The method extends for analysing 
Petri nets with inhibitors and with timing constraints, but difficulties 
arise for the treatment of meta-transitions in the latter case. 



1 Introduction 

Reachability Analysis with Presburger Arithmetic. As surveyed by Es- 
parza ^3, there are several classes of Petri nets whose set of reachable markings 
can be described as a formula of Presburger arithmetic (i.e. a linear arithmetic 
formula over integers) . In practice, it turns out that iterative symbolic computa- 
tion of reachable markings, when it converges, often yields a set post* expressible 
in Presburger arithmetic, even for Petri nets which do not belong to the classes 
mentioned above Such a practical result was also observed in QQ in 

the case of infinite-state systems with integers, called “extended finite state au- 
tomata (EFSM)” . These observations have led independently several researchers 
to implement procedures, based on Presburger arithmetic solvers, for trying and 
compute the reachability sets of extended forms of automata Note that 

there is generally no guarantee that the computation terminates. Moreover, the 
complexity of Presburger arithmetic is extremely high, a major obstacle for deal- 
ing with more than small-size examples. In this paper we will try to alleviate 
this complexity problem. 

Can Real Arithmetic Be Used Instead? It is well known that real arith- 
metic is more tractable than integer arithmetic: for instance, checking the exis- 
tence of a solution over R for a system of linear inequations is polynomial while 

Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 178-^^| 1999. 
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it is NP-hard over N In general resolution over R leads to an upper approx- 
imation of the set of integer solutions. However Shostack noticed that, for a 
particular class of formulas (made of constraints of the form x c < y, x < c or 
c < x), elimination of variables over R using Fourier-Motzkin procedure is exact, 
i.e. produces the same result as elimination of variables over N. For this class, it 
is safe to focus on “polyhedric” constraints (i.e. sets of linear inequalities), and 
discard the cumbersome divisibility constraints that are a priori needed when 
dealing with integers. 

Contribution of the Paper. Following Shostack, we show here that reachabil- 
ity analysis of Petri nets can be done by treating integer variables as real- valued 
variables, and eliminating them with Fourier-Motzkin. As a consequence, given a 
Petri net and an initial marking, iterative computation of the successor markings 
with Fourier-Motzkin yields the exact reachability set post* , when it terminates. 
The same is true for backward computation of predecessors pre* . 

The idea of solving over reals rather than integers was recently used by Delzanno 
and Podelski in Q. They deal with EFSM rather than Petri nets, and verify 
not only safety properties but also liveness properties. On the other hand, in 
contrast with us, they do not obtain in general an exact result for the reach- 
ability sets but only an overapproximation. Besides, we treat here the case of 
“(cycle) meta-transitions” (see ^^3). A meta-transition simulates the iteration 
of the same transition applied an arbitrary number p of times, often entailing a 
better convergence for post* and pre* . Fourier-Motzkin elimination (of p) does 
not give any longer an exact result with meta-transitions, but only an upper 
approximation. We still give a sufficient condition on the intermediate formulas 
generated by the procedure, that guarantees an exact computation. 

Our method extends to Petri nets with inhibitors and Petri nets with timing 
constraints although problems arise with meta-transitions in the latter case. We 
experimented the procedure on examples of various sizes, including a part of a 
communication protocol (PNCSA, ^]) in which a deadlock was discovered. 

Plan of the Paper. After recalling some basic definitions in §2, we give results 
about ordinary Petri nets in §3, about Petri nets with meta-transitions in §4, 
and about timed nets in §5; we conclude in §6. 

2 Preliminaries 

2.1 Fourier-Motzkin Variable Elimination 

This presentation is adapted from Q. An atomic constraint is a linear inequal- 
ity of the form > c or equality Sf^-^OiXi = c with coefficients in Z. 

A constraint is a conjunction of atomic constraints. We assume every atomic 
constraint is written in a simplified form so that no variable appears twice in the 
same atomic constraint. Let vars{(j)) be the set of variables appearing in con- 
straint (j>. For each variable x € vars{(j)) we can partition cj) in the following way. 
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Let (/)° be the set of atomic constraints of (j) which do not contain any occurrence 
of X. Let (/)+ (resp 4>~) be the set of inequalities of <p equivalent to ax < e (resp. 
e < bx), where e is a linear expression not involving x. The projection algorithm 
shown below eliminates a variable x from constraint (j) and returns constraint 
'0 3x4> using Fourier-Motzkin elimination (and replacement of equals) . 

project (</), x) 

if cj> ^ (j)' A X = e then 

% Replacement of equals 

Ip := 4>' with every occurrence of x replaced by e 
else 

% Fourier-Motzkin elimination 

Ip ■■= (pi 

f oreach A £ <pt with A ^ ax < e'^ 

foreach B £ <p~ with B ■<-> e~ < bx 
Ip \= Ip A ae~ < be^ 
endf oreach 
endf oreach 
endif 
return ip\ 

Formula ip is only an upper approximation of the set of integer solutions because 
the algorithm assumes that there is always a solution for x to ae~ < abx < be~^ , 
as soon as ae~ < be~^. This is true over R but not over N. Note however that if 
a = 1 or 5 = 1, such an integer solution always exists. Therefore, in the particular 
case where, in (p, all the coefficients of x in lower bounds on x are 1, or all the 
coefficients of x in upper bounds on x are 1, Fourier-Motzkin is exaet over N: 
formula ip characterizes the set of integer solutions (see S3). This observation 
will be used in §4. 

In the following, elimination will be done implicitly via a projection algorithm 
over R, such as Fourier-Motzkin. Experimental results given throughout the 
paper were obtained using HyTeciJH, which has a built-in procedure of pro- 
jection over reals (taken from Halbwachs’ polyhedral manipulation library 33)- 

2.2 Petri Nets 

A net TV is a tuple {X, R,a,P), where 

- X = {si, . . . , Xm} is a finite set of counter J 

- i? is a finite set of transitions, 

-a : X X R 1 -^ N and j3 : R x X N are valuation functions. 

The value a{xi, r) represents the weight of an input-arc from input-counter Xi 
to r, and /3(r, Xi) the weight of an output-arc from r to output- counter Xi. In the 
figures, counters are drawn as circles, transitions as bars. An arc is represented 
as a weighted arrow, only if it has a non zero weight. The weights of the drawn 

^ on a SUN station ULTRA-1 with 64 Megabytes of RAM memory 
^ The usual terminology is places, but it is convenient here to refer to counters. 
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arcs are implicitly 1. With each transition r G Rin the net is associated a couple 
of vectors (cr,ar), where the z-th component c® of Cr is (3{r,Xi) — a{xi,r), and 
the z-th component a® of is a{xi, r). A marking is a mapping from A to N. A 
set of markings is represented as a formula <^{^) interpreted over N, where x is 
the vector of variables X\^ • • • , Xm- A Petri net is a pair (A, (pinu) where A is a 
net, and ipinit a formula, called “initial formula”, characterizing the set of initial 
markings. Formula pinit is generally of the form x = Xinit, with Xinit G N"*. 
We also consider cases where the initial marking is parametric, some counters 
are assigned parameters instead of constant values. Henceforth we will assume 
given a set P — {pi,p 2 , ■ ■ ■} of parameters which are additional variables, the 
value of which are left unchanged by transitions. A parametric initial formula 
Pinit{x,p) is of the form x = Xinit with Xinit G (N U P)"* (and possibly some 
additional constraints over p) . For a transition r G R corresponding to (c^ , ) , 

the reachability relation via r, written is defined by: 

X ^x' x' = X + Cr ^X> Hr- 

Given a net A : (A, i?, a, /3), the reachability relation via A, written is 
UrGfi (This means: x x' iS3r G R x ^ x' .) Without loss of under- 

standing in the following, we will use R and — > in place of A and — > respectively. 
For lack of space we do not explain how to treat Petri nets with inhibitors (“0- 
tests”) in this paper, but all our definitions and results easily extend to them. 



Example 1. The Petri net in figure 
ample from M. Latteux (see 






[corresponds to the “swimming-pool” ex- 
^ ) . All weights are equal to 1 . Transition ri 
(incoming guest) is enabled if Xe ^ when there is at least one free cab- 

ine. When r\ is fired, one token is removed from counter xg and added into 
counter xi, meaning the beginning of undressing. The initial marking Xinit in- 
volves two parameters pi and p 2 (assumed to be greater than or equal to 1 ), 
which represent the number of available cabins and baskets respectively. We 
have (finit '■ = a ;2 = xa = 0:4 = xs = 0 A xg = pi A xr = P 2 /\pi > ^ /\P 2 > I- 

The reachability relation via ri is: x x' iff 

x’l = X\ + 1 A x’q = Xg — 1 A Xg > 1 A x’2 = X2 A x'^ = Xg A x'^ = X4^ A x'^ = Xg. 
Relations for transitions T 2 to rg are similar. For the sake of brevity, all the 
equations of the form a;' = Xi (counters unchanged) , will be omitted in the next 
examples. Also recall that inequations of the form Xi > 0 are always implicit. 



3 Reachability Analysis in Petri Nets 

Given a formula p and a transition r, the classical notion of successor (resp. 
predecessor), characterizing the markings reachable via r (resp. r~^) from a 
marking satisfying ip, is defined as follows. 

The successor of p via r, written postr{p), is the result of eliminating x' over N 
from: 3xf p{x') Ax' x. 
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free cabines 




Fig. 1. A Petri net for the swimming pool example 



The predecessor of ip via r, written prcri^p), is the result of eliminating x' over 
N from: 3x' iffx') Ax ^x' . 

Since x ^x' means if = ir + A ir > a^, we have (by replacement of equals): 

postr(ip) AA (f{x — Cr) Ax >clr +Cr- 
prer(ip) AA (f{x + Cr) Ax >7Ir. 

As usual, given a set R of transitions, postR{ip) is \Jr^jiPostr{ip) (the subscript 
R is sometimes omitted when it stands for the set of all transitions of the Petri 
net) and the iterated operator posP for a formula (p is defined recursively by: 
post^{(p) = ip, posP'^^{ip) = post{posP (ip)) . 

The infinite union [jj^QPosP (ip), written post*{ip), characterizes the set of all 
the markings reachable from ip through a finite sequence of transitions. We 
say that the iterative computation of post* stabilizes or terminates at step k 
when k is the first index such that post^^^{ip) C 

post*{ip) = [Jq^^^^posR {ip). One defines similarly pre-^ ((^) and pre*{ip). 

We are interested in (dis)proving that all the reachable markings of a Petri net 
satisfy a certain “safety” property, e.g. deadlock-freeness. This will be done by 
considering a formula ip safe, which characterizes the set of all the safe markings, 
and checking: post* {ipi„it) O -^ipsafe = 0 or pre*{^ipsafe) O ipinit = 0- 

In the examples hereafter, we will (dis)prove the absence of deadlock. The prop- 
erty ipsafe{x), expressing that x enables at least one transition, is: 

Its negation -^ipsafe, characterizing the set of all the deadlock markings, is of the 
form Vfceic where A" is a finite set of indices and ipdeadk characterizes a 
subset of deadlock markings. There is a deadlock iff : 

post* {ipinit) n ipdeadk Or pre* {ipdeadk) H ipinit 0 , for some kG K. 
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Definition 1. A formula (fix) is a counter region ijf it is a conjunction of 
inequalities of the form: 

Xi + d> Xj, Xi > Xj + d, Xi > d, d> Xi, with Xi, Xj G X U P , d G N. 
We say that a formula ip{x) belongs to counter class C iff ip is a finite disjunetion 
of counter regions. 



Proposition 1. Let (p be a formula ofC. Then: 

1. Variable elimination with Fourier- Motzkin is exaet for eomputing postn{p). 

2. postn{p) belongs to C. 

3. When it terminates, the iterative computation of post^j^(p) (using Fourier- 
Motzkin) yields a formula postf^lpp) belonging to C. 

Proof. Statement 1 follows from the fact that elimination of of in 3x' p{x') Ax' 

X is merely an operation of replacement of equals, and does not use the integer 
assumption for x' . Besides the resulting formula p(x — Cr) Ax >dr -\-Cr belongs 
to class C since p G C\ this is because replacing Xi (resp. Xj) with Xi — c( (resp. 
Xj — cl) in a constraint of the form Xi > Xj d, Xi d > Xj, Xi > d, or d > Xi 
yields a constraint of the same form. Therefore statement 2 holds. Statement 3 
follows from statements 1 and 2. 

The proposition also holds with pre instead of post. Since pinit belongs to C, 
it follows from the proposition that computation of post* yields a formula of C 
when it terminates. 

Example 2. This example is taken from (cf. and illustrated by the 
Petri net of figure H It models an automated manufacturing system with four 




Fig. 2. A manufacturing system 
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machines, two robots, two buffers (a;io and xis) and an assembly cell. The initial 
marking Xinit is such that: x\ = p for some nonnegative parameter p, X 2 = x^ = 
X7 = X12 = Xi3 = xie = xig = X24 = 1, a^io = 2:15 = 3 (buffers have capacity 3). 
All other counters are empty (that is, all other variables are 0). The task is to 
discover for which values of parameter p the system may end up in a deadlock. 
Previous Works: In deadlock-freeness is shown only for 1 < p < 4. In 
deadlock-freeness is proved using some mixed integer programming techniques 
for I < p < 8. A path leading to a deadlock is then generated for p = 9. 
In the exact reachability set has been automatically computed using variable 
elimination over N, showing that a deadlock is reached from xinu if and only 
if p > 9, but the computation takes several hours (2.5 hours on a SUN station 
ULTRA-1). 

New Results: The computation of post* {(pinit) with HyTech stabilizes after 
81 iterations, and takes only a couple of minutes (200 seconds). The output set 
post* is a disjunction of 560 counter regions. More precisely, each region is of the 
form {p = Xi+doAxi > di A Xi = di) or {p = dgAxi = diA /\^®2 
with di € {0, 1, • • • , 12} for all 0 < i < 25. The intersection of post* with the 
formula characterizing deadlock markings gives p=a;i-|-9 A a;i>0A xn = 
3 A Xi5 = 2 A 0:3 = 0:4 = Xq = 3^8 = 3^14 = 3^17 = 3^18 = 3^21 = X 24 = 1, 
all the other variables being null. We thus retrieve the necessary and sufficient 
condition of deadlock-freeness (p < 8). Note the impressive computation time 
speed-up gained here w.r.t. 



4 Petri Nets with Meta-transitions 



4.1 Meta-transitions 



The computation of post* (or pre*), performed in a brute manner as explained 
above, often converges slowly or does not terminate at all. A classical way to 
speed-up the convergence and improve the termination of post* is to use “(cycle) 
meta-transitions” (^^3), i.e. repeated application of a transition r an arbitrary 
number p of times in a single step. Let us define formally this notion in our 
context. Given p S N \ {0}, the p-reachability relation via transition r : (cr,dr)-, 
written — >, is defined by: 

— —t — r _f . ^ 

X ^ X <=> X — > X II ^=1, 

_ , _ r _ _/ 

X — i- X AA 3x\ X — ’f xi > X if p > 2. 

J.+ 

written — >, is defined by: 



The transitive closure of 

X > x' AA 3p G N \ {0} 



Proposition 2. Given a transition r : (cr,ar), we have: 

X > x' iff x' = X + p.Cr A X + {p — > Or, 

where c). is obtained from Cr by replacing all the positive components with 0. 
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Proof. X — > X 

3xi,X2,...,Xfj,-i X ^ xi Axi ^ X2 A ■ ■ ■ AXfj,-i ^ xf 
AA x' = X + ^.Cr A {x >7Ir Ax + l.Cr > Qr A ■ ■ ■ Ax + (/i — l).Cr > ttr) ■ 

Conjunction (if > Ax + l.c^ > clr A ■■ ■ Ax + (^ — l).Cr > Hr) simplifies to 
X + (^ — l).c(, > Hr, with c'r as defined above (see for details). 

Example 3. Consider transition ri of the swimming-pool example: 

X if' iff = a;i -h 1 A a;g = a;6 — 1 A a;6 > 1- 

From Cr = (1, 0, 0, 0, 0, —1, 0), we obtain c(, = (0, 0, 0, 0, 0, —1, 0). Besides Hr is 

(0,0, 0,0,0, 1,0), hence: x x' iff x'l = Xi + pcAx'^ = Xq — p.AxQ—{pL—l) > 1, 
i.e. x[ = xi + p, A Xq = xq — p, A xq > pL. 

Definition 2. The /i-successor of ip via r, denoted postri^ipp), is such that: 

postrt^ (if) 3if' if{x') A x' — > X. 

The meta-successor of ip via r, written Mpostripp) , is such that 

Mpostr(ip) 3x' ip{x') Ax' >X 3/iGN\{0} pOStrt^{ip). 

It is straightforward to show (using proposition^: 

postrij. {ip) <tA ip{x — pL.Cr) A if -|- /t(c(, — Cr) >Hr + c!r- 

We define also: posture (v^) = = Mpostr{ip) ■ 

Since only transitions of R are used in Mposta, we have: Mpostf^ = post*j^. 

If one regards /i not as a natural number but as a real, and eliminate /i via 
Fourier-Motzkin from 3/i > 1 postri^ {ip) , one does not generally get an exact re- 
sult, but only an upper approximation of Mpostr{ip). However, in the special case 
where all the coefficients of p. in postri^{ip) for lower bounds of p are 1, Fourier- 
Motzkin elimination is guaranteed to be exact (see §2), and yields a formula 
equivalent to Mpostr{ip) ■ The same result holds if all the nonull coefficients of p 
in upperbounds of p are 1. This suggests to compute an upper approximation, 
denoted UpostR{ip), of Mpostn{ip) as follows. 

Proposition 3. Given a formula ip, let Upostn{ip) be the result of eliminating 
p via Fourier-Motzkin from 3/r > 1 postnr{ip). We have: 

Upostfjfip) D Mpostfjfip) = post*fi{ip) . 

Besides, if iterative computation of Upost'j^{ip) stabilizes at step k, and all the 
coefficients of p on lower bounds (resp. upper bounds) of p in posUi^ {Upost)^{ip)) 
are 1, for every 0 < j < k and every r G R, then: 

Upostfi{ip) = Mpostfi{ip) = postfi{ip). 

One defines similarly the notions Mprcr, Uprcr, Mpren, UprcR. The counterpart 
of the above proposition holds. The examples given at the end of the section show 
that iterative computation of Upren is a practical and efficient way of comput- 
ing an approximation of pref^. Inspection of p coefficients within intermediate 
formulas prer:‘ {Upre)^ {ip)) will guarantee additionally that Upre)^ = pre)^. 



186 Beatrice Berard and Laurent Fribourg 



4.2 Fused Transitions 



In the rest of this section we consider, instead of the original set R = {ri, • • • , r„} 
of transitions of the given Petri net, a new set R' obtained from R by adding 
sequences of transitions, called fused transitions^ of the form - Fused 
transitions can be derived in practice through a process of “decomposition” of 
R (see ^H^which uses a generalized form of fusion rules originally proposed by 
Berthelot Q for transforming Petri nets. 



The reachability relation via , written 



>, is defined by: 



iff 3a;i, • • • , Xk-i x 



Xl 



Alternatively, we can consider a fused transition a = 
associated with a couple {ca,cta)- Writing e for the empty sequence, we have: 



•fc-i _ _/ 

> Xk-l > X . 

■ ■ - as a transition 



Definition 3. Given a fused transition a, the reachability relation via a, written 
— >, is defined by x — >xf x' = x + Ca /\x > oia, 

with Ca and oia recursively defined as: 

Cg — 0 er^fj — Cj' “t“ Cfj 

Oe = 0 Qr.a = rnaxilXr ,a,a — Cr) 

Since R' is obtained from R by adding sequences of transitions of i?, we have: 
posf^, = post*j^ and = pre*j^. 

Example 4- Consider the transitions ri, V 2 of the swimming-pool example: 

X — b x' iff x'l = X\ + 1 f\ x'q = Xq — 1 f\ Xq > 1. 

X bib- x' iff x'l = X\ — 1 f\ x '2 = X 2 + ^ x'-j = XT — 1 f\ X\ > 1 f\ x-j > 1. 

The fused transition riT 2 is characterized by (cnr 2 j arir 2 ) where Cr^r 2 is 
(0, 1, 0, 0, 0, —1, —1) and a,r^r 2 is (0, 0, 0, 0, 0, 1, 1). We have: 

_ —I jg: x '2 = X2 + ^ x'q = Xq — 1 f\ x'^j = XT — 1 f\ Xq > 1 f\ XT > 1. 



4.3 Examples 

In the following examples we consider an extended set R' obtained from R 
by adding fused transitions. We compute Upref^, and show that: Upre*^^, = 
Mpre*jT> (= = pre*jf). The set R' has been obtained by a preliminary 

decomposition of R (see [3) up to level k, i.e. until k distinct fused transi- 
tions have been generated. The computation time of the decomposition process 
is neglectable w.r.t. computation time of post* (or pre*). Note that the choice 
of the appropriate value k is the result of a compromise: the bigger k is, the 
better the convergence of post* is likely to be, but the space search may explode 
for too large values of k. In each of the examples below, we first had to try a 
couple of values for k before obtaining a convenient one. One can also improve 
the convergence by dropping certain “troublesome” fused transitions, but this 
issue is beyond the scope of the paper| 

® The decomposition process also infers an ordering of application among the set of 
ordinary and fused transitions, but this information is not exploited here. 



Reachability Analysis of (Timed) Petri Nets Using Real Arithmetic 187 



Example 5. Consider the set of transitions i? = {ri, r2, • • • , re} for the swimming 
pool Petri net. The Petri net derived by decomposition has a set R' with the 
following 6 fused transitions {r2r3, rir2T3, rer4, r4rs, rir2r3r4r5| added 

to R. The deadlock formula is of the form (pdeadi V (pdead 2 with: 

^deadi ■ ^2 — ^4 — ^5 — ^6 — ^7 — dj ^dead^ • — ^2 — ^4 — ^5 — ^6 — 0- 

The iterated computation of Uprew applied to (pdeadi terminates after 22 steps 
(and takes 50 seconds). Besides for all j < 22, one can check that all the nonnull 
coefficients of p, in pren'i^{Upre^fi^,{(pdeadi)) are equal to 1. Therefore there is no 
upper approximation: Upre*n,{ipdeadi) = pre*j^{(pdeadi) ■ ^ is set of 10 constraints: 
{X2 = X4 = X5 = Xq = Xr = 0, X2 = X4 = X5 = XT = 0 A Xq > 1, 

a^2 = 2^4 = ;t 7 = 0 A xs > 1, X2 > 1, a;i > 1 A xy > 1, xe > 1 A 0:7 > 1, 

0:4 > 1, 0:3 > 1 A xe > 1, 0:5 > 1 A X7 > 1, 0:3 > 1 A xs > 1} 

One of these constraints, a;6 > 1 A 0:7 > 1, has (f>init as an instance. It follows 
that the system always has a deadlock, for any values of parameters pi and p 2 
(greater than or equal to 1). It is often interesting to try and keep track of a path 
linking the initial marking to a deadlock, but this requires to store additional 
information during the construction of Upre* at a cost generally prohibitive. 
In this simple example however, it is possible to retrieve such a path (see ^). 
Note that, in we were not able to treat this example (but only a simplified 
version) due to memory space saturation. 



Example 6. This example is a modelization of a part of communication protocol 
PNCSA (Standard Protocol for Connection to the Authorization System 
borrowed from The Petri net has 38 transitions and 31 counters. The initial 
marking Xinu has two components equal to 1, and all the other ones null. The 
deadlock formula is of the form: ifdeadi V • • • V (pdead^ ■ 

Previous Works. In the system was analyzed through the minimal cover- 
ability graph, an abstract form of the reachability set, which gives some informa- 
tion, e.g. about boundedness, but cannot certify the absence of deadlocks. We 
also tried to generate the reachability set using the Presburger based procedure 
of but the system ran out of memory. 

New Results. The extended Petri net R' is obtained by decomposing R up 
to level 20. The iterated computation of UpreR> applied to (fdeadi terminates 
after 53 steps, and takes 15 minutes. Upre*j^, contains 376 constraints. Besides, 
for all j < 53, one can here again check that all the nonull coefficients of p 
in preRiiJ.{Upre^j^,) appearing in lower bounds on p are equal to 1. Therefore 
Upre*f^, = pre*j^i = pre*j^. One constraint of Upre’^, has 4>init as an instance, 
which proves that the system has a deadlock. It is here also possible to exhibit 
a path linking Xinit to a deadlock marking (see ^). 

Note that the existence of this deadlock was unknown so far. There are several 
possible explanations to this deadlock ( “local” but non “global” deadlock, flaws 
in the modelling, . . . ) but such an issue is beyond the scope of the paper. 
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5 Timed Nets 

In this section, we consider “timed nets”, obtained by adding to timed automata 
a finite set X of places (or counters) This allows us to combine known results 
on timed automata with those of §3 on Petri nets. Note that many other models 
have been proposed to build timed extensions of Petri nets (see e.g. B3), but 
we do not consider them here. We first recall the definitions of timed automata, 
then treat the case of timed automata with counters (timed nets), with a short 
discussion on the issue of meta-transitions. 

5.1 Timed Automata 

We consider here Alur-Dill’s timed automata As finite state automata, 
timed automata have a finite set of locations. In addition, they use a finite set 
Y of variables yi, ■ ■ ■ ,yn, called clocks, which evolve continuously at the same 
rate. A transition is enabled only if some relation, called guard, is satisfied by 
the current values of the clocks. When a transition is fired, some clocks are reset 
to fixed values. Moreover, inside each location, the clock values are required to 
satisfy a relation called invariant. Guards and invariants are conjunctions of 
constraints of the form yi <C at or at <C yi with <C€ {<,<}. Formally, a timed 
automaton T is a tuple {L, iinit, Y, I, E), where 

— L is a finite set of locations, 

“ (-init & L is the initial location, 

— Y = {yi, ■ ■ ■ , yn} is a finite set of clocks , 

— / is a mapping that labels each location i in L with some location invariant, 
simply written 1^ instead of I{£) in the following, 

— if is a set of action transitions of the form e: p) where i and £' 

belong to L, '0 is a guard and p is a mapping over Y such that, for all y G Y, 
either p(y) = y or p{y) = 0. 

A state is a mapping from {s} x T to Lx R+ where s denotes a location variable. 
A set of states will be represented by a formula 0(s, y) where y is vector yi ■ ■ - yn 
interpreted as (nonnegative) real-valued variables. The semantics of timed au- 
tomata are defined by initial formula and reachability relations: 

- the initial formula 4>init{s,y) is: s = iinit A y = 0. 

- the action reachability relation via e : {{£, £'), if, p), written is such that: 

(s,y) {s' ,lf) iff s = £ A s' = i' A Is{y) A Is'if) A ip{y) /\y' = p{y). 

- the delay reachability relation, written — >, is such that: 

{s,y) {s,y') iff 3e G R+ {I,{y) A Is{y') Ay' = y + e). 

- the reachability relation via automaton T , written — >, is UeG£:( — *■ ■ 

We also recall the notion of “clock region” [[]. 

Definition 4. A formula 4>{y) is a clock region iff it is a conjunction of inequal- 
ities of the form: yi + d yj, yi yj d, d <^yi, yi d 

with yi, yj G Y , d £ N and <^G {<, <}. 
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5.2 Timed Automata with Counters 

We now show that proposition 3 also holds for timed automata with counters. For 
the sake of conciseness we give only results concerning the set pre of predecessors, 
but similar results also hold for post. An (extended) action transition / does not 
go any longer from s to s' over L, but from a pair (ir, s) to a pair (x' , s') over 
N™ X L such that: x' = x + cAx > a, for a, vector c of integers and a vector a of 
natural numbers associated with /. A state is now a mapping from A x {s} x T 
to N X L X R+ and a set of states will be represented by a formula <?(a;, s, y) 
where x is interpreted over N and y over M"*'. 

A timed net C/ is a tuple {X, pinit, L, f-init, Y, I, F), where X is the set of counters, 
ipinit the initial formula for counters, L the set of locations, iinit the initial 
location, / the invariant mapping, Y the set of clocks and F the set of transitions. 
We define: 

- the initial formula <Pinit{x, s, y): Pinitfx) A s = ^in^t A y = 0 

- the extended action reachability relation via f: {{c,a), {£,£'), if , p), written 

{x, s,y) ^ fx' , s ' iff 

x' = x + cAx >a A s = £ A s' = £' A Is{y) A Is' {y') A if (y) Ay' = p{y) 

- the delay reachability relation 

(T, s, y) (T, s, y') iff G M+ {Is{y) A Is{y') Ay' = y + e). 

- the reachability relation via U, written — U/eF(~^ ■ ^ ■ ~^)- 

Given a formula and a timed net U, we define preu{‘I) as the result of elimi- 
nating s' over L, x' over N and y' over M from 

3x',s',y' ((T, s,y) ^ (T',s',y') A ^(t', s', y')). 

We now extend the notions of counter regions and counter class C as follows: 

Definition 5. A formula <?(x, y) is a mixed region iff it is a conjunction of 
inequalities of the form: 

Xi + d > Xj, Xi > Xj + d, Xi > d, d> Xi, 

yi + d<t:yj, yi<yj + d, d<tiyi, yi<.d 
with Xi, Xj £ X U P, yi, y^ G T, c? G N and <CG {<, <}. 



Definition 6. A formula <P{x, s, y) belongs to mixed class D iff it is a disjunc- 
tion of the form \/ s = £k A<Pk{x,y), where K denotes a finite set of indices, 
£k is in L, and <I>k{x,y) is a mixed region. 



Proposition 4. Let be a formula of D and U a timed net. Then: 

1. Variable elimination with Fourier- Motzkin is exact for computing preu{'T). 

2. preu{<I>) belongs to D. 

3. When it terminates, the iterative computation of pre[j{(F) (using Fourier- 
Motzkin) yields a formula pre(j{d>) belonging to D. 
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Proof, (sketch) By proposition 3, statements 1 and 2 hold in the special case of 
an ordinary Petri net {Y = 0). It easy to see that they hold also in the special 
case of an ordinary timed automata {X = 0), using the closure property of “clock 
regions” |][]|The truth of statements 1 and 2 for a general timed net U, follows 
from the combination of these special cases, using the fact that, when computing 
prejj, there is no interaction between variables of X and variables of Y in 
Statement 3 then follows from statements 1 and 2. 

The proposition above allows us to consider all the variables as if they were 
real ones (including variables of X) and to use Fourier-Motzkin elimination for 
computing predecessors in class D. 



h: X > 2 A Vp < 5 
A x' = X — 1 A y'p=0 




w : 2 / c <2 h : X = 1 a yp < 5 

A x' = X + 1 A x' = X — 1 A y'p = 0 



Carver Painter 

Fig. 3. Horse Manufactory 

Example 7. This example, taken from Q, is a simple model of a “Horse Man- 
ufactory”, where wooden black horses are produced by a carver and a painter. 
The system is represented in figure^by two timed nets, for the carver and the 
painter respectively. The carver has two locations idle, carve and one clock yc, 
while the painter has two locations idle and work and the clock yp. The pro- 
cesses communicate through the transition labeled w, which corresponds to the 
production of a wooden horse by the carver and its reception by the painter. This 
transition operates on the place x, which counts the number of carved horses 
that are not yet painted. The carver begins his work upon arrival of a block of 
wood, corresponding to the transition from idle to carve, with label b, which 
resets the carver clock j/c- From this point on, carving must be finished in at 
most 2 time units: invariant j/c < 2 is associated with the location carve and 
the transition labeled w increments the counter x and returns to location idle. 
With the same transition w, the painter first stores the piece. Then, transition h 
represents the production by the painter of one black horse, which decrements x 

Statement 1 is trivial in this case because all the variables belong to Y , and are real. 



4 



Reachability Analysis of (Timed) Petri Nets Using Real Arithmetic 191 



and must occur in at most 5 time units, unless a new wooden horse is produced. 
Thus, both transitions w and h reset the painter clock i/p. 

We consider properties relative to the maximal delay between arrival of a block 
of wood and production of a painted horse. The strong property (S) simply 
requires that this delay be equal to 7: each time an action b occurs, there is an 
action h within a delay strictly less than 7 time units. Property (S) is expressed 
by an “observer automaton” and proved false (in the system composed of Carver, 
Painter and Observer) in seven iterations. The weak version (W) of this property 
expresses as follows: if b occurs and is not followed by another action b for 7 
time units, then an action h occurs within this delay. Property (W) is proved 
true after three iterations (see Q] for details) . 



5.3 Meta-transitions 



The notions of fused and meta-transitions transitions, as defined above in the 
context of ordinary Petri nets, do not easily extend to timed nets. The problems 
already arise with timed automata (without counters) . One difficulty stems from 
the fact that the application of two action transitions ei and 62 interleaved with 
delay-transitions (-^ . . -^) cannot be reduced to the application 

of some “fused” action-transition, say 63, interleaved with delay-transitions (-^ 



. . — >), so the situation is radically different from the one prevailing in the 

case of ordinary Petri nets| Still the finite application of a sequence of action 
transitions between two states y and y' defines a linear arithmetic relation, and 
the transitive closure of such a relation (meta-transition) is still definable in the 
additive theory of R, as shown by Comon and Jurski (^], p.274; see also ^3). 
However the complexity of such a relation is untractable (double exponential in 
the number of clocks in the worst case). A possible manner to overcome this 
problem might be to approximate this transitive closure relation using, e.g., 
methods proposed in ^3> but this would deserve further study. 



6 Final Remarks 

We have given a theoretical justification for using tools designed for the analysis 
of automata with real- valued variables in order to analyse automata with integer- 
valued variables such as Petri nets. The constraint solving procedure was very 
easy to implement in HyTech, as well as the encoding of meta-transitions. Such 
a task could also have been achieved with a constraint programming language 
such as CLP(M) (as done in |3 ™ fbe context of EFSM). Other real-time 
analysis tools like Uppaal Q might also be used when no parameter is involved 
(although encoding meta-transitions may be a problem). To our knowledge, the 
idea of using variable elimination over R instead of N for computing the set post* 

® In ^3 there is an attempt to extend fusion rules a la Berthelot Q within another 
model of time Petri nets but with severe conditions for rule application. 
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of reachable markings for Petri nets, had not been exploited so fa r J E xperiences 
show an impressive gain of performance: all the examples from have been 
reproduced with a speed-up from 10 to 50 times, a deadlock has been found 
for the first time in the PNCSA protocol (as modeled in . . . The use 

of real arithmetic with meta-transitions may yield an upper approximation of 
the computed reachability set. Such an approximation is the price to pay for 
improving the convergence of post* . Using real arithmetic can be seen here as 
an alternative to classical approximation methods as those used in Abstract 
Interpretation (e.g., “widening” or “convex hull” ) Finally our method 

extends to Petri nets with inhibitors and to timed nets. However difficulties arise 
when dealing with fused and meta-transitions for timed nets, and applicability of 
the approach in this context should be further studied on significant examples. 
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Abstract. We propose generic schemes for basic composition operations 
(sequential composition, choice, iteration, and refinement) for high-level 
Petri nets. They tolerate liberal combinations of place types (equal, dis- 
joint, intersecting) and allow for weak and strong versions of composi- 
tions (owing to a parameterised scheme of type construction). Important 
properties, including associativity, commutativity, and coherence w.r.t. 
unfolding, are preserved. 



1 Introduction 

The lack of compositionality, attributed to Petri net models, has inspired in- 
tensive research aimed at overcoming this disadvantage. Part of the efforts is 
concerned with introducing algebraic features into net formalisms The 

operators defined on place-transition nets usually share intuitively well-founded, 
uniform schemes of node connection (as a rule, based on cross-products of par- 
ticipating frontier node sets) while the diversity of high-level models induces 
an even more noticeable multitude of corresponding operator schemes. Usually 
these schemes either involve complex type formation constructs Q, or are accom- 
panied by substantial restrictions on structural and/or notational characteristics 
of the interface nodes or are not concerned with algebraic treatment Q. 
Such schemes usually represent polar views of the dichotomy ‘strong vs. weak 
(layered |) composition’ (the most frequent being the ‘strong’ case). 

The work presented in this paper aims at systematically developing a set of 
place-based composition operations for high level Petri nets, which: 

(1) impose as few as possible restrictions on the types of places (allowing, in 
particular, for equal, disjoint, and intersecting types); 

(2) allow a wider interpretation of the interface place assignment (permitting, 
in particular, side conditions next to refined transitions, as well as combined 
entry /exit-places of a net); 

(3) possess a well justified and uniform intuition regarding the causality aspects; 

(4) are able to represent weak and strong composition aspects simultaneously; 

(5) are still tractable in algebraic contexts, preserve reasonable properties such 
as commutativity, associativity, and are coherent w.r.t. net unfolding. 

The above goals are reached in the following way. A liberal place typing (goal fl) 
and an integrated treatment of weak and strong compositionality (goal ^ ) be- 
come possible thanks to the proposed universal parameterised type construction 

Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 194-^^| 1999. 
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scheme (section^ . This scheme is incorporated in auxiliary net-based operations 
(section J that serve as a repertoire of the elementary building blocks of which 
the main operators are composed (sections These operations are defined 
in such a manner (section that a number of desirable algebraic (goal Q), 
causality (goal Q), and interface-related (goal Q) properties are obtained. As 
an auxiliary uniform and consistent means for expressing and proving properties 
of the operations, an ‘M-nets with a basis’ kit is developed (section 
Proofs of the results claimed in this paper can be found in 

2 Basic Notions 



Mi\M 2 is a multiset such that \/uGU: (^i\^ 2 )(w)= 



IN is the set of natural numbers. A multiset ^ over a set C/ is a function fj.: C/— >IN; 
uS/r iff ^(u)> 0 , and ^ is a set iff yuGlJ : The support of a multiset ^ is 

defined as the set sp{^) = {u \ uGpi}, and pi is finite if its support is finite. The 
set of all finite multisets over U is denoted by A 4 f{U). Moreover: 
fJ-i^fJ'2 iff VuCf/: ^i(u)</i2(u) (this is C if both pii and ^2 are sets), 

M1+M2 is a multiset such that VuCt/: (^i-|-/i2)(u)=/ii(zi)-|-/i2(M), 

P-i—p-2 is a multiset such that VuSt/: (^1— /i2)(u)= max{ 0 , ^i(u)— /i2(u)}, 

p,i{u) if^2(u)=0 
0 otherwise, 

^iU/i2 is a multiset such that yuGlJ: (/riU^2)(u)=max{/ri(u), ^2(u)}, 
p,iC\pi2 is a multiset such that VuSC/: (/rin^2)(u)=min{/ri(u), ^2(u)}- 

When using the generalised union (J (and similarly p|), we consider this as 
a unary operator on a set of arguments. Thus, lj{^i | iSiN} is tantamount to 
^oUMiUM 2U . . ., and HImii M2} equals /rin^2- For the sum, we use the traditional 
notation; thus, for instance, equals (in the same convention as for union 

and intersection) I iyl}- Restriction of a function / to the domain U is 

denoted by f\u- 

The high-level net model we use is close to that from the standard and 
represents a relation-oriented version of M-nets [^. Its definition (given next) 
is parameterised by pairwise disjoint sets of values (VAL), modes {MOD), and 
actions (A). However, MOD and A play very minor roles in the subsequent parts 
of the paper, and their involvement in the definition is mainly for the sake of 
completeness. These sets are, therefore, often omitted in examples. 



Definition 1. (M-Net) An M-net is a triple {S, T, t), where S is a set of places, 
T is a set of transitions, with S' n T = 0 , and l is an inscription function with 
domain S U (S x T) U (T x S) U T such that: 

— VsSS: (.(s) = (A(s) I o;(s)), where A(s) S {{e|, {a;}, {e, a;}, {i}} is called the 
status of s, and a(s)C VAL is the type of s; 

— ytGT: i{t) = (A(t) I a{t)), where \{f) C A is called the label of t, and 
a{t) C MOD is the set of modes (or type) of t; 

— y{s,t)£SxT: L{s,t) € Aif{{{v,m) | z; € a(s) A m G a(t)j); 

— y{t, s)gTxS: ift, s) G Ai /({(m, t>) j G o:(s) A m G a(f)}). 
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Nets iVi = {Si, Ti, Li) and N 2 = {S 2 , T 2 , L 2 ) are disjoint if Si, S 2 , Ti, T 2 (and 
hence, ti and L 2 ) are mutually disjoint. The notion of a type a{.) is extended to 
the sets of nodes: if YCS or YCT then a{Y) = U{a(y) | y&Y}. 

Given a net N, the following interface-related notations will be used: entry 
places *N = {s | sSS” A eSA(s)}, exit places N* = {s | sGS A xG\{s)}, combined 
entry-exit places = {s | sGS A A(s)={e, a;}} (= *N H N*), pure entry 

places °N = *N \ N*, pure exit places N° = N* \ *N, interface places *N U TV*. 
The other places with status {i} are called internal. In contrast with Q, we 
allow input arcs into entry places, output arcs from exit places, and places that 
are both entry and exit (the latter make sense for unguarded loop operators). 

Given a net N and a node y G S U T, we denote by and y* the sets 
of entry and exit nodes of y, respectively: *y = {y' \ y' gSVJT A i{y' ,y) ^ 0}, 
y' = {y' I y' GS\ST Ai{y,y') ^ 0}, also, °y = 'y\y' and y° = y'\'y. In addition, 
for t e r we denote by the set of side places of t 

We will assume that VAL is the powerset of a plain set fisAS of symbols, 
i.e., every value is a set of basic symbols. The rationale for this will by explained 
later. For simplicity, we will identify Hbas with IN. We will use v, w as generic 
names for values from VAL. Examples of values: v = {!}, w = {0, 7, 8}, ... As 
generic names for value sets (i.e. for types) we will use /3, (/?. 

The unfolding of an M-net N is obtained by disassembling N in such a way 
that every place in the resulting net gets a singleton type, and every transition 
exactly one mode. The behaviour of N ought to be the same as the behaviour 
of its unfolding; hence the importance of the preservation of unfolding-related 
equivalences in composition operations. The places and the transitions of the 
unfolding are given names s'" and t"*, to remind of the values and modes they 
arise from. The unfolding is unique up to the choice of these names (definition^ . 

Definition 2. (M-Net Unfolding) Let N = {S, T, t) be an M-net. 

U{N) = {U{S),U{T),iu), where 

- U{S) = {s“ I sGS, uGq;(s)}, U{T) = {t"* I tGT, mGa{t)}, 

- Vs" G U{S): Luis'") = {\u{s") I au{s")), and Xu{s") = A(s), au{s") = {u}, 

- Vt- G U{T)-. Lu{tn = {Xuitn I o^uin), and \u{t"^) = \{t), au(t"") = {m}, 
-y{s" ,t"^) GU{S)xU{T)-. Lu{s",t'^) = L{s,t){v,m)-{{v,m)}, 

-\/{t"^,s") GU{T)xU{S): Lu{t"^,s") = L{t,s){m,v)-{{m,v)}. a| 

We will also speak of the unfolding of a (sub)set of nodes of a net (e.g., 
U{*N)), considering this as the set of the corresponding nodes in the net unfold- 
ing (i.e., for instance, U{* N) — *U{N)). 

Definition 3. (Net Isomorphism up to Node Renaming) Let N = {S, T, c) 

and N'={S' ,T' ,l') he M-nets. N and N' are called isomorphic up to node re- 
naming, denoted by N=N' , if there is a sort-preserving bijection p: SUT^S'UT' 
such thatyyGSU{SxT)U{TxS)UT: L{y)=L'{p{y)). 

3 Parameterised Type Construction 

The composition operations presented in this paper are based on merging inter- 
face places of the participating nets. The difference between the weak and strong 
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compositions comes into effect by the discipline of token propagation through 
the ‘border’ resulting from merging these interface places. A weak discipline im- 
plies that different values can proceed independently: tokens which correspond 
to a certain value and which enter a net component are allowed to go further 
without waiting for those tokens which are consumed by the same component 
but correspond to other values. A strong discipline assumes joint treatment of 
the values entering or leaving a participating net fragment (and considered as 
belonging to an initial or final marking) . 

This distinction is illustrated in fig.H where only places types, place names 
and (simplified) transition labels are shown. Assuming that places si and S 2 are 
initially marked by values {1} and {2}, respectively, then under strong sequence, 
interleaving abed (but not acbd) is possible; under weak sequence, abed and aebd 
(but not adbe) are possible. We will formalise this by using a parameter value 
set ijj, whose members specify the weak type of composition. In this case, '0 = 0 
would correspond to the strong discipline, and 0 = {{!}, {2}} would correspond 
to the weak discipline. 



iiniQ 





^(3{{i}} 








b 








d 






{{2})(_JU- 







(( 1)1 

({ 2)1 



Nr 



^2 



Fig. 1. Illustrating the difference between weak and strong sequential composi- 
tion. 



Since we deal with high-level nets, the creation of new places (from old ones 
by merging) must be accompanied by a type construction for these places. For the 
weak discipline, the values remain untouched; this mechanism is implemented 
by the intersection part of our type creation operator below. Under the strong 
composition, however, the new values must be bound to others, which implies 
that values reflect the corresponding dependency information. 

The choice of sets as the form of value representation (i.e. that each value is 
a subset of fisAs) is based primarily on the intention to obtain commutativity 
and associativity of composition operators, and, in particular, of the refinement, 
as the most complicated case. If two transitions, which share some adjacent 
place(s), are to be refined by different nets, commutativity means that the two 
different sequences of refinements must result in the same (including names and 
types) sets of new places. Therefore, type creation must be commutative: each 
new value must be able to absorb information gradually from the (types of the) 
contributing places, while the final outcome should not depend on the order of 
the contributions. Sets are used, since they are simple structured objects, yet - 
when used in the particular way we propose - are able to meet these wishes. 
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In general, let '0 C LA L be a value set with respect to which the following no- 
tions will be parameterised. For example, in fig-H V' = {{3}, {4}, {5}, {6}, {7}}. 
Values in ip are called weak, others are called strong. 



Parameter 




Fig. 2. Illustrating the origin of values in a new type. 

In def-H below, we will describe a type construction facility which, given a 
parameter set ip and a multiset of types creates a new type 

In fig-O for example, we wish to create ■? 2 } with ?/i={{3}, {4}, {5}, {6}, 

{7}}, 6={{1}, {2}, {3}, {4}, {5}} and 6={{4}, {5}, {6}, {7}, {8}, {9}}. The idea 
is to let the weak part of ^ arise as the intersection of the original weak types 
(after which, in fig-O values {4} and {5} survive), and the strong part of ^ as all 
pairwise combinations of the original strong types (which yields, in fig-O fire new 
values {1,8}, {1,9}, {2,8}, and {2,9}). We have to ensure that the new values 
can again be characterised as weak or strong w.r.t. the same ip. DefinitionOand 
lemmaOserve this purpose. 

Definition 4. (Conformable Multiset of Types) Let ipC VAL, / 

(2^^^). is Ip-conformable iff {v£ip)V {yw£ipU{ (J ^'):unw; = 0). 




DefinitionO(illustrated in tableO means that each value v contained in one 
of the original types f is contained in ip (then it is and remains weak) or, if it is 
strong, does not intersect with any value w from ip or any other set (including 
f itself, if f is contained twice or more in ^) in gt. The last condition implies, by 
the use of multiset minus (— ) rather than \, that the types with membership 
in /r exceeding 1 must be completely weak. This is a technical subtlety which 
guarantees coherence in certain cases; details are in Q. 

From def. B it follows that if /i is '0-conformable then so is each multiset 
0 yf In particular, the set {^ | ^ G ^} is itself '0-conformable. 
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Value sets ^ and ip 


V’ = {|1|,|2|| 


Comments 


C = {{!}, {2}},^ = {{!}, {4}} 


S'l'e all conformable 




not conformable 


{4}^ip while m(v)>i 


C = {{!}, {3}},^ = {{!}, {4}} 


{^,V5} is conformable 




C = {{1},{3}},¥. = |{1},|3,4}| 


not conformable 


{3},{3,4}yV' 


C = {{!,3},{2}}, ^ = {{2}}} 


not conformable 


{1,3}^V> 



Table 1. Examples of conformable and not conformable multisets. 



The following auxiliary operator yields a value combination from values of a 
set of value sets, taking each of the participating value sets once. 

Definition 5. (Value Combination) 

Let vC2^^^. Then ^ {v \ v={J{v^ \ withy 



Definition 6. (Type Construction) Let ijjCVAL. Let be iji-con- 

formable. Then [^/i H I U 1+) {■C\'0 I ■! 



The first disjunct is the new weak part, the second is the new strong part. 
Fig.^and table^give examples of type construction. Moreover, 

Lemma 1. (Consistency of ixi) Lf ^ is tjj- conformable, then so is {ixi/r}. 

y 



Proposition 1. (Properties of Type Construction) 

Let VAL, 0 yf be conformable. Then: 

(1) Associativity: Ifil)y^K<^, then ( (m\^) U {i^k}) ; 

(2) Distributivity w.r.t. set union: 

f = U{q^I a collection of types whose union is f), 

then = U {/3 I /3=M{a{| with 

From the remark after def.H infer that for any fj,, if sp{p)<pl <fji and 

H is ?/>-conformable, then Thus we can use | fGfJ,} instead of 

CO u. 

y 

DefinitionsnandHform the technical groundwork on which our results are 
based. They have been chosen rather judiciously, and ^ contains various coun- 
terexamples to some attempted simplifications or modifications of them. 

4 Basic Operations on Nets 

In this section, we define some auxiliary operations: (1) net union (a step which 
allows to treat two nets as a single starting point), (2) place multiplication 
(to create ‘border’ places), (3) place addition (to insert new places into a net). 
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Participating value sets 


Parameter set ip 




C = {{!}} = m 


0 


{{1}} 


? = {{!}} = 


{{1}.{2}} 


{{1}} 


^ = {{!}, {2}}, y, = {{!}, {3}} (/.= U,v^}) 


{{1}.{2}} 


{{1}} 


C = {{!}}, v^ = {{2}} 


{{1}.{2}} 


0 


^ = {{l,2}},v^ = {{2,3}} = 


{{1,2}, {2, 3}} 


0 


C = {{!}, {2, 3}}, ={{2,3}, {4}}, 

/3 ={{2,3}, {5}, {6}} {p={^,g:,Pi}) 


{{2,3}} 


{{2, 3}, {1,4, 5}, 
{1.4. 6}} 



Table 2. Examples of type construction. 

(4) place or transition restriction (to eliminate old nodes). We will define the 
auxiliary operations and the main composition operations in the framework of M- 
nets with basis (MNB). Such a net is an M-net which is associated with another 
M-net, called basis. Elements (nodes, types, values) from this basis play the role 
of an ‘alphabet’, in terms of which the corresponding elements of the MNB are 
expressed. The benefit of such a mechanism - which is embodied in def. Jbelow 
- is that the new (i.e. resulting from some composition) incidence relation can 
be constructed directly from (new) node names. 

The next definition transfers the notion of type set conformability to the 
types of given place sets. The net in question will be a basis, whence the index 

B- 

Definition 7. (Compatible Set of Place Sets) Let {Sb,Tb, cb) be an M-net. 
Let 7yf0. Then {SiQM.f{SB) \ *€/} is called compatible if for any s=Y^ Si 

i&I 

with ViGl: SiGSi, the multiset p.g= s(s_b)’{Q!(sb)} is ip -conformable. 

SB&S 

Let, for example, Sb be the place set of net Nb in fig.^ i.e. Sb={si, S 2 }, and 
let S’'={{si}} and «S'"={{s 2 }}. Then {S',S"} is {{!}, {2}}-compatible because 
the multiset ^={a(si), 0 ( 52 )} (={{{!}, {3}}, {{!}, {2}, {4}}}, which is, in this 
example, a set) is {{!}, {2}}-conformable. 

Definition 8. (M-Net with a Basis) Let N=(S, T, l), Nb={Sb, Tb^ l-b) be M- 
nets and let ip be a parameter set. Then N is called an MNB (M-net with basis) 
over Nb and ip if the following conditions are satisfied: 

\/sb&Sb^v e o(sb): |u| = 1; 

TCTb; yt£T: t(f)=tB(t); 

SCJlifl^SB); {iS”} is Ip -compatible; and\/sGS:a{s)=\>^{a{sB) \ sb€s}; 

V(s, t)£SxT\/vG VAL ymGMOD: r(s, f)(u, m)= ^ s{sb) • i^B{sB,t){{g},m); 

SB^s g£v 

V(t, s)gTxS \/v£ VAL VmGMOD: i{t, s)(m, u)= Y) Y s{sb) ■ iB{t, SB){m, {p}). 

SB^S qGv 




Fig.Jgives an example of an MNB N with basis Nb. Note how the type 
{{1},{3,4}} of the ‘combined’ place {si,S 2 } arises from the types of si,S 2 via 



Weak and Strong Composition of High-Level Petri Nets 201 



4>, and how its connections to t arise through the connections of si and S 2 to t in 
Nb- weak value {!}, contained in the types of both si and S 2 , is preserved in the 
type of {si, S 2 }, while weak value {2}, contained only in 0 ( 52 ), is eliminated via 
intersection and is not inherited by a({si,S 2 }); strong values {3} and {4} are 
combined into a new strong value {3,4}; the coefficients 3 and 1 next to ({!}, ml) 
and (ml,{l|), respectively, are equal to the corresponding coefficients in Nb, 
and similarly with coefficients 2 next to ({3, 4}, m2) and 4 next to (m2, {3, 4}). 

({e} I {{1},{3,4}}) ({e} I {{1},{3}}) ({e} I { { 1 },{2},{4} }) 





Fig. 3. Example of an MNB N over Nb and ip = {{!}) {211- 

Given an MNB N over Nb and ip we sometimes do not give Nb and ip 
explicitly, if they are clear from the context. If N is an MNB over Nb and ip, 
then, up to place renaming, U{N) is an MNB over U{Nb) and ip. 

Definition 9. (Basis-Disjoint MNB’s) Let N and N' be MNB’s over the same 
Ip and the bases, respectively, Nb and N^. N and N' are called basis-disjoint if 
Nb and Ng are disjoint. 

Note that if N and N' are basis-disjoint then they are disjoint. 

Definition 10 . (MNB Union) Let N=(S,T,P) and N'={S' ,T' , d) be basis- 
disjoint MNB’s over the same ip and bases Nb = {Sb,Tb, lb) and N'g = 

{S'b,T'^, l'^), respectively. Then, 

7VBU7V)j=(S'BUS')3,rBUr}j,rBU4) and N\JN'={S\JS' ,T\JT' ,L\Jd). iQ 

Note that N\JN' is an MNB over Moreover, MNB union is com- 

mutative, associative, and commutes with unfolding, i.e.: if U{N\JN') is defined 
then so is U{N) UU{N'), and they are equal. 

The place multiplication operator 0 (def.^Jand tabled takes an MNB and 
a collection of subsets of its places, and creates a new set of places through a 
cartesian product based scheme, by taking all possible combinations of places 
from the participating sets (one from each of the sets), but leaving only those 
which obtain non-empty types from the type construction operator c<i. The non- 
emptiness condition for the resulting types is necessary in order to preserve the 
coherence of this operator w.r.t. unfolding []], and it just excludes useless places. 

Definition 11 . (Place Multiplication) Let N = {S, T, t) be an MNB, and /y^0. 
Let {5^1 iGl} be a ip-compatible set of subsets of S, and tG {{ej, {a;}, {e, a;}, {i}}. 
Then, 
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(gjlSi I is/} { s I s= ^ Si, with {\/i£l: Si€Si) and (txi{a(sB)|sBSs} 7 ^ 0 ) }. 

V T i£l __ 

Moreover, for sS (^{Silis/j we put \{s)=t and a(s)=M{a(sB)|sBSs|. 



Proposition 2. (Properties of Place Multiplication) Let {S, T, c) be an MNB, 
/t^0, and Vi £ I: St C S. Let r, ti £ {{e|, {a;}, {e, x}, {i}}. Then, 

(1) Associativity: Lftb^KCI, then ®{-S'i|iG/}= 0 ({5j | jG/\/V}U§{S'fc|fcsAr}); 

(2) Distributivity w.r.t. set union: Lf\/i£l: Si = I ji^Ji}> where Jif^% is 

an index set, then (g>{iS'i|iS/} = U I with\/i£L: ji£Ji} ; 

(3) Coherence w.r.t. unfolding: U{i^{Si \ i£l}) = ^{U{Si) \ is/|. 



Si,ie I 


Parameter 
set ijj 




s. = \ 


({e}l{{l}}) -I 

{si}0 [ c = fi}) 


{{1}} 


I 


({e}l{{l}}) I 
{3l}0 } i=Si) 


s. = . 

S 2 = ■ 


• ({e}l{{l},{2}}) ({x}|{{2}}) 'I 

{Sl}0 .{S2}0 

• ({e}l{{l},{3}}) '1 

{«a}0 } a = {1.2}) 


{{1}} 


I 


■ ({e}l{{l},{2,3}}) ({e}|{{2,3}}) 

{si.sa}*^ ’{s2,S3>0 1 


S. = . 
S 2 = ■ 


' ({<=}I{{1},{2}}) ({x}|{{2}}) 'I 

{Sl}0 .{S2}0 

• ({e}l{{3},{4}}) '1 

{33}0 } a = {1.2}) 


{{2}} 


I 


• ({e}|{{l,3},{l,4}}) 

{si,S3}0 1 



Table 3. Examples of place multiplication. 



Place addition © (def.^Jand fig.B serves for adding new places to an MNB: 
given an MNB and a set of places (which, in our context, will usually be outcomes 
of the previously introduced operator ©), it creates new incidences, depending 
on the types of the new places, and correspondingly modifies the MNB. 

Definition 12. (Place Addition) Let N = {S, T, i) he an MNB over basis 
Nb={Sb, Tb, Lb) and if. Let S'cXi /{S b) s.t. for all s£S' , Ps=^s{sB)-{oi{sB)} 

sbGs 

is if -conformable. Then iV © S" (S U Sf T, t'). B^] 

Note that d arises from def. J since (S' U S' , T, d) has the same basis as N. 
In fig.H adding to MNB N (over Nb, if) a place {si, si, S2} results in MNB TVi, 
whereas adding to the same MNB two places, {si,S2| and {32,33,53}, yields 
MNB N 2 . New places are highlighted by bold lines. 

Proposition 3. (Properties of Place Addition) Let N be an MNB and S' , S" 
C A 1 /(Sb). Then the following hold: (1) Empty set as a zero element: fV © 
0 = iV, (2) Duplication prevention: iV©S' = N(B{S'\S), (3) Commutativity: 
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Fig. 4. Illustrating place addition. 



{N © S') © S" = {N (B S") © S' , (4) Distributivity w.r.t. place set union: 
N(B{S'L>S") = {N(BS')(BS" , (5) Context sensitivity: If Ni is an MNB which 
is basis-disjoint with N, and S' C M-f^Ss), then {NUNi)®S' = (iV©S")UiVi, 
(6) Coherence w.r.t. unfolding: U{N®S') =U{N)(BU{S') . 

Restriction (next definition) drops elements from a net. 

Definition 13. (Restriction) Let N={S,T,l) be an MNB over {Sb,Tb,ob), 
and YCMf{SB)UTB. Then N vs F=^(5\F, r\F, 6 |s,u(S'xT')u(T'xS')ut')- bD 



Proposition 4. (Properties of Restriction) Let N = {S, T, o) be an MNB over 
Nb = {Sb,Tb, iB),'<P- If S'<BMf{SB), Y,Yi,Y 2 CS\JT , then: (1) Empty set as 
a zero element: N vs % — N , (2) Idempotence: {N rs F) rs F — N rs Y, 
(3) Commutativity: (TV rs Fi) rs F 2 = (TV rs F 2 ) rs Fi, (4) Context sensitiv- 
ity: //Fn(S'ur) = 0 then TV rs F = TV, (5) Distributivity w.r.t. net union: IfNi 
is MNB which is basis-disjoint with N , then (NUNi) vsY = (TVrsF)U(TVi rsF), 
(6) Suppression of place addition: (TV © S") rs S" = TV rs S' , (7) Interchange- 
ability with place addition: IfYnS' = 0 then (TV©5")rsF = (TVrsF)©S", 
(8) Coherence w.r.t. unfolding: U{NvsY) ^ U{N) vsU{Y) . 
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5 Net Composition Operations: General Scheme 

Using the auxiliary operators defined in section H we now construct our main 
composition operators. In we consider the most important and widespread - 
in net theoretic and process algebraic contexts - ones: parallel composition ( || ), 
sequence (;), choice ( D ), iteration (two versions), and transition refinement. The 
application of each of the above operators, except ||, can be considered as split 
into four subsequent phases, which correspond to the application of the auxiliary 
operators introduced earlier: U, ©, rs . Which interface sets are involved and 
how exactly they are impacted under different operations, is determined by the 
underlying causality semantics of the intended composition, and is illustrated 
in the interface set correspondence diagrams in fig.H pairs and triples of place 
sets which participate in each place multiplication operator are connected via 
the symbol 0 in this figure. 




N, 



(a) 




N 



(b) 





Fig. 5. Multiplication of interface place sets under different operators: (a) se- 
quence, (b) iteration-I, (c) iteration-II, (d) choice, (e) transition refinement. 



Suppose that two disjoint nets Ni and N2 have {e}-places, {a;}-places, but 
no {e, a;}-places. Then Ni; N2 needs to be constructed by first taking the union 
of the two nets, and then 0-multiplying the {a;}-places of Ni with the {e}-places 
of N2, parameterised by ip- If Ni or N2 or both have {e, a;}-places, then the logic 



Weak and Strong Composition of High-Level Petri Nets 205 



behind our definition is as follows (fig-Ha)). The {e, a;}-places of the first net, 
while being combined with the pure entry places of the second one, ‘exhaust’ 
their exit capability, but retain the entry capability; the resulting places should 
thus be treated as entry for the resulting net. Analogously, the {e, a;}-places of 
the second net retain their x-capability. When {e, a;}-places of both nets are 
combined together, these new places are consequently treated as {e, a;}-places. 

Under iteration, the pure entry and exit sets of a net are merged either 
directly (fig-Hb)), or via a place of some auxiliary net (fig- He)), when an 
outcome without combined {e, a;}-places is preferred. One of the distinctions 
between versions I and II of iteration will be exemplified in sectionH 

Under choice composition (fig-0^))j symmetry of the treatment of the 
nets implies that, as soon as a token has entered an {e, a;}-place of one net, it can 
at once be considered as contained in an exit place of this net and consequently 
as being at the level of the exit places of the other net. Therefore, systematically, 
under choice composition, the {e, a;}-places of each net have to be combined with 
both pure entry and pure output places of the other net. (Thus, for instance, 

le,x} M a (x} 

O in choice with O-Cd-O is the same as an iteration, a*, of a.) 

Under refinement composition (fig.H®))i the intuition is similar to that cor- 
responding to the choice, a difference being, however, that the (pure) entry, exit 
and side places of the refined transition play now the role of the (pure) entry, 
exit, and {e, a;}-places of a net in the choice composition, respectively. 

For reasons of space, we consider in this paper only three operations: par- 
allel composition, sequence and refinement. The ideas, formal definitions, and 
properties of the others are exposed in H- The following definitions of sequential 
composition and transition refinement are in their most general representation; 
they reduce to a noticeably simpler form if, for example, participating net(s) do 
not have combined {e, a;}-places, or if the to-be-refined transition does not have 
side places. 

6 Parallel Composition 

Parallel composition of two basis-disjoint nets is synonymous to the union of 
MNB’s; the former serves as an independent operator, the latter is used as an 
auxiliary step in the definitions of operators. 

Definition 14. (Parallel Composition) Let Ni and he two basis- disjoint 
MNB’s over the same j). Then N\ || fV 2 N\\J N 2 - *^3 

Parallel composition is commutative, associative, and coherent w.r.t. unfolding. 

7 Sequential Composition 

Definition 15. (Sequential Composition) Let N\ and he two basis- disjoint 
MNB’s over the same tp. Then, 
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Ni;N2 



=' ((TVi U 7 V 2 ) 0 ( 0 {N°, °N2} U § °7V2} 

)) rs W U*iV 2 ). iD 



If there are no {e, a;}-places in either net, then only the first of the four dis- 

juncts remains in this definition: fVi; fV 2 = ({NiUN2)(B^'^{N°,°N2}^ rs (-/V*U 
•iV2). 

Consider the example in fig-O where only place statuses and transition labels 
are shown; the types of all places are assumed to be the same singleton set, e.g. 
{{ 0 }} (this corresponds to ordinary place/ transition nets). 

{e,x 



le) 

Fig. 6. Motivating place connections under sequential composition. 

The rationale behind the above definition in its {e, a;}-places-related part, in 
addition to being systematically motivated in section H can be supported by 
behavioural reasons. Since the initial marking of iVi is also final, and thus can 
instantaneously be re-interpreted as the initial marking of N2 (tokens on {52} 
and {54}), it can be expected that, under the { 0 }-marking of the entry places 
(i.e. those having status {e} or {e, a;}), the firing sequences in the sequential 
composition of nets Ni and N2 are a*b. In the right-hand side of the figure, 
net fVi; N2 is shown, obtained corresponding to def.^J It can be checked that 
fVi; N2, with the initial marking consisting of tokens { 0 } on {si, S2} and {si, S4}, 
produces the same firing sequences. 

The case of a sequential composition of two nets corresponding to iterations 
a* and b*, i.e. the sequence a*; b*, is worth being pointed out. Suppose that a* is 
modelled as Ni if fig. O ^cid similarly b* by another such net. This corresponds 
to using iteration-I in both cases. Then our operator for sequential composition 
yields a net with two transitions and a single place, with status {e, a;}, which 
is a side place for both of transitions, i.e. a net with behaviour (a| 5 )*. Suppose, 
on the other hand, that a* is modelled using iteration-II. This yields a net with 
an a-labelled transition and a side place s to it, as before. However, s now has 
status {i}, and a silent (i.e., 0 -labelled) transition leads from an {e}-labelled 
place to s, and another silent transition leads from s to an {a;}-labelled place. 
Suppose that b* is modelled similarly. Then the sequential composition yields a 
net having behaviour %a*%%b*% (i.e., a*b* if silent transitions are neglected). 

This example can hardly be interpreted as pointing to a deficiency in the 
definition of sequential composition. Rather, the effect seems to be inherent in 
the M-net framework, since it can be shown that there is no M-net without silent 
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transitions whose behaviour is a* b* . It is also one of the reasons for distinguishing 
two versions of iteration. 

Theorem 1 . (Properties of Sequential Composition) Let Ni, N^, and N3 be 

mutually basis-disjoint MNB’s over the same tp- Then the following hold: 

( 1 ) (Associativity) (iVi; iV2); N3 = Ni' {N2] N3); 

( 2 ) (Coherence w.r.t. unfolding) U{Ni] N2) =U{Ni)]U{N2). 

8 Transition Refinement 

In the definition of transition refinement, we permit side places for the to-be- 
refined transition. However we do not allow {e, a;}-places in the refining net, 
because otherwise the commutativity of the refinement in the general case could 
be destroyed j|Under refinement, the statuses of new places are determined by 
the statuses of the contributing places from the main net. Under this convention, 
we do not put any r over ® in the following definition. 

Definition 16 . (Single-Mode Transition Refinement) Let N and Nq be two 

basis-disjoint MNB’s over the same ip, to G T with |o!(to)| = 1 ; *-^0 H N* = 0 , 
and let {*iVo,iVQ} be ip- compatible. The net obtained by refining transition to in 
N with No is defined as: 

N[to ^ iVo] =' (((iV rs to) U No) © 'No} U iV*} 

U *fVo, N^} )) rs (‘to U tg U •No U N^). iD 

If there are no side places next to transition to, then only two disjuncts, 

namely ^{°to,*No} and ^{to, N*}, remain in the above definition. 

Two examples of transition refinement are shown in fig.O They are of mixed 
- weak and strong - composition type and represent two different cases from the 
structural point of view: in the first one, to does not have side places; in the 
second one, to has a side place, and, in addition, an entry place of No is at the 
same time a side place of some transition in No- 

Theorem 2 . (Properties of Transition Refinement) Let N, Ni, and N2 be 

mutually disjoint MNB’s. Then the following hold: 

( 1 ) (Commutativity-I) If t\,t2 G T then 

{N[C ^ Ni])[t2 ^ N 2 ] = {N[t2 ^ N2])[h ^ A^i]; 

( 2 ) (Commutativity -II) If t\ gT and t2 G T\ and = 0 ^ v ^(*^2 U tg) n 

(“iVi U Nf) = 0), then {N[h ^ Ni])[t2 ^ N2] = N[C ^ {Ni[t2 ^ iV2])]; 

( 3 ) (Coherence w.r.t. unfolding) U{N[ti <— Ni]) = U{N)[ti *^U{Ni)]. 

Because of this theorem and the possibility of splitting a transition with many 
modes into a series of transitions with single modes, def.^Jcan be generalised 
directly to multi-mode transitions. 

^ Actually, we have a hunch that this restriction is non-essential. We are presently 
working to overcome this limitation. 
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(|e)l((l],{ 611 )(^^ 



({a) I (ml)) 



((e) I ((1),(5))) ((e) I ((1),(5,6))) 



((x)l((l),)7))) 




((l),m2) 

+2((5),m3) 



((l),m2) 

2({5,6},m3) 



tj ({b} I {m2, m3}) 

Tm2,{l)) 

|+5(m3,{8}) 

viy ((x)i((i),(8))) 

% 

0 (a) 



ti ({b} i {m2,m3}) 



I (m2,{l)) 

I +5(m3,{7,8}) 



((x)l((l),(7,8))) 



((a) I (ml)) ((c) I (m5)) 



(ml,)D) 

+(ml,(3)) 



()e)l()l),(5))) 

(s,) j((i)l((l).(2)) 



(m5,(l))+(m5,{2,5)) 
sj)((i) 1(d). (2,5))) 



((e) 1(1), 
(3)))()c| 



()l),m3) 

+((3),m3) 



((l),m7) 

+({3),m7) ((l),m7) 

+((2),m7) 




((d) I (m7)) 



(m7,(l)) 

+(ni7,(4)) 

JL \ (mlO.dl) (mlO.U)) 

+(m7,(3)) . \ +(ml0,(6)) 

'*2l)))l),(4))) <(■=!' ((D)) 



i!(‘ii”m®^: 



tj 



((b) I (m3)) ((f) I (mS)) 

N 




■()g)l(mlO)) 



.S5l)((i)l((l).(4,6))) 

()l),m8)+((4,6),m8) 



((x)l((l).(S))) 

No 

(b) 



((b) I (m3)) ((f) I (m8)) 

N[to*N„\ (V=(U1))) 



Fig. 7. 7V[io ^ No]: (a) to without side places, (b) to with side places. 



9 Conclusions 



We have introduced a set of generic schemes for high-level net composition oper- 
ations. A uniform approach has allowed us to obtain operations which preserve 
nice algebraic properties while remaining coherent with respect to net unfold- 
ing. Equipped with a parameter value set, the proposed schemes enable us to 
implement different - strong, weak, and mixed - composition disciplines. These 
definitions have been justified by examples, by proving the desired algebraic 
(structural) laws (and also by the fact that in the purely strong case, and neg- 
lecting {e, a;} interface, they reduce to better known constructions). 

Our approach differs from other research in similar direction, e.g. m, in 
particular by the following: (a) combined entry/exit places are allowed, (b) val- 
ues are sets rather than more complicated labelled trees, (c) associativity and 
commutativity of the operations hold as equalities, and the coherence w.r.t. un- 
folding holds as isomorphism up to place renaming. 
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A formal behavioural justification of our operations (along the line hinted at 
in discussing fig.fl has not been the objective of this paper, but this is a task 
that is planned to be done in future research. In Thielke provides such a 
formal justification for a subtheory (without weak values, without intersecting 
types and without {e,x} places). 

Other future research includes elaborating place-oriented refinement opera- 
tions, developing a formal definition of a universal, place- and transition-oriented, 
refinement scheme, extending it to a ‘net-for-subnet substitution’ case, and pos- 
sibly embedding linear algebraic elements as inherent parts into composition 
operations. 
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Abstract. Model checking of place/transition-nets based on partial or- 
der semantics has been applied successfully to the analysis of causal 
behaviour of distributed systems. Here, this approach is extended to the 
causal behaviour of time Petri nets. Expansion of a time Petri net to 
an equivalent P/T-net is defined, and it is shown that (an abstraction 
of) the McMillan unfolding of the expanded net is sufficient for model 
checking w.r.t. formulae of a simple branching time temporal logic L. 



1 Introduction 

Model checking is a widely accepted method for proving properties of distributed 
systems but faces the problem of ‘state explosion’. To tackle this problem, besides 
partial order reductions [13] or BDD-based techniques [7, 16] also methods based 
on partial order semantics have been applied. The latter have proven especially 
successful with systems with a high degree of asynchronous parallelism [5, 9]. 

Safety critical applications often require verification of real time constraints, 
in addition to functional or qualitative temporal properties. For this task, model 
checking algorithms have been developed based on interleaving semantics (cf. e.g. 
[1, 19]), but much less work has been done starting from partial order semantics 
(cf. section 5 for some exceptions). By extending McMillan’s [17] technique of 
unfolding safe Petri nets to the class of safe time Petri nets [18] this paper takes 
a step in this direction. 

In [9], a branching time temporal logic £ for safe nets is introduced. A model 
checking algorithm is given based on the finite prefix of the maximal branching 
process of a net TV, the McMillan-unfolding McM{N) of N (cf. also [10]). One 
might naively assume that in order to extend this approach to safe time Petri 
nets, it is sufficient to take the McMillan-unfolding of the underlying P/T-net 
and reduce it to that part which is not prohibited by the time restrictions. The 
following example of Figure 1 shows that this is not true. 

First, consider the net TNi (Figure 1 (i)) without time restrictions. Its pos- 
sible (concurrent) behaviour is described in Figure 1 (ii). All behaviour happens 
to remain realizable under the time requirements in the sense that for each con- 
current run of the system there is a timing schedule respecting the requirements. 
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Fig. 1. A time Petri net TN\ and its behaviour 



The untimed behaviour of TN \ (cf. Figure l(ii)) satisfies the following property 
Q\ It always holds that, if p 2 and pa are marked, then possibly po becomes 
marked. 

But, if to occurs in TN i at time 0, then t 2 becomes enabled at time 0 and 
has to occur at time 2. On the other hand, ti is forced to occur at time 1, so 
ta is enabled at time 1. However, ta cannot occur before time 3, and, since p 2 is 
not marked after time 2, ta can never occur at all. Hence, this property is not 
satisfied by TNi. This is reflected by the net’s behaviour if we represent lapse of 
time by inserting special events called tic-events (cf. Figure 1 (iii)): If to occurs 
at time 0 (i.e. before any tic-event), then ta never becomes enabled. 

The key idea of the approach presented here consists in transforming time 
restrictions into net structure, i.e. representing them by additional places, tran- 
sitions, and arcs. Following this approach, for a given time Petri net TN the 
time-expansion X{TN) is constructed as an ordinary P/T-net. Moreover, it is 
shown that an £-formula 4> is satisfied by TN iff it is satisfied by the time- 
expansion X{TN). Subsequently, the McMillan-unfolding McM (TN) of TN is 
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defined by (an abstraction of) McM{X{TN)). As will be shown in [11], for the 
actual computation of McM (TN) the explicit construction of the (complex) net 
X{TN) is not necessary. 

An additional benefit of this approach is given by the fact that corresponding 
tools for P/T-nets may be reused for the causal analysis of time Petri nets, which 
applies especially to the model checking component of the PEP tool [5] . 

We proceed as follows: In section 2 the notions used throughout the paper 
are introduced. Section 3 contains the definition of time expansion of time Petri 
nets. The new method for model checking of time Petri nets is given in section 
4, based on the ‘finite prefix’ of the time expansion. We conclude with discussing 
some related work (section 5) and with remarks on further research (section 6). 

An extended version of this paper is presented in [6]. 



2 Basic Notions 

In this section, a partial order semantics as well as temporal logics for safe 
Place/Transition-nets (P/T-nets) is defined and a notion of time is added to 
P/T-nets. Moreover, the temporal logics is extended to time Petri nets. Note 
that most notions carry over to bounded P/T-nets. 



2.1 Processes of Place/Transition-Nets 

Let N = {P,T, F, Mq) be a P/T-net. N is called safe iff M{p) G {0, 1} for all 
p G P holds for any reachable marking. For the rest of the paper, only safe nets 
are considered. Nodes xi,X 2 G (P U T) are in conflict {xiffxf) iff there exist 
distinct transitions G T such that n *f 2 7 ^ 0 and (ti,xi), G F* , 

the reflexive and transitive closure of P. x G (PU T) is in self-conflict iff xffx. 

Often, the behaviour of a P /T-net N is described via the reachability graph. 
Its vertices consist of the set of all reachable markings of N and there is an edge 
leading from M to M' , which is labeled by t iff M M' . However, using the 
reachability graph the concurrent behaviour of N cannot be retrieved easily and 
all interleavings of concurrent behaviour have to be represented explicitly, which 
often leads to an unnecessary exponential blow up. 

In part, these problems are avoided by the maximal branching process, which 
associates a partial order semantics to each safe net N [9] . A causal process of a 
safe P/T-net N describes a possible run of N, displaying the causal dependencies 
of the events that take place during the run. A branching process may represent 
different alternative runs of N in one structure and hence may seen as the union 
of some causal processes. It consists of an occurrence net and a homomorphism. 

An occurrence net CN = (B,E,G) is an acyclic net such that | *6 |< 1 for 
all 6 G P, no event e G P is in self conflict, and for all x G (PUP), the set 
of elements y G (PUP) such that (y, x) G G* is finite. The elements of P (P, 
respectively) are called conditions {events, respectively). < denotes the partial 
order induced by G on P U P; < denotes the corresponding strict partial order; 
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Min{CN) denotes the set of minimal elements of CN w.r.t. <. A causal net is 
an occurrence net which also satisfies | 6 * |< 1 for every condition b. 

A homomorphism from an occurrence net CN to a P /T-net N is a, mapping 
7T : (i? U if) — > (P U T) such that 'ir(B) C P and 7r(if) C T, for all e G E, the 
restriction of tt to *e is a bijection between *e and *7r(e) and the restriction of 
7T to e* is a bijection between e* and 7r(e)*, the restriction of tt to Min{CN) 
is a bijection between Min{CN) and Mq, and for all ei, C2 G E it holds that if 
*ci = *62 and p{ei) = p{e2) then ei = 62- 

A branching process of a P/T-net N is a pair f 3 = (CN^tt), consisting of 
an occurrence net CN, and a homomorphism tt from CN to N. P is a causal 
process of N iff CN is a causal net. For each P/T-net N, there exists a unique 
(up to renaming of conditions and events) maximal branching process Prm where 
‘maximal’ is related to the prefix ordering (cf. [8]). An initial part of a causal 
process may be represented uniquely by the set of events contained in that part: 
A configuration C of a process /? is a downward closed conflict free set of events, 
i.e., a set C C if such that e G C implies e' G C for all e' < e, and, for all 
e, e' G C, e#e' does not hold. For each event e, [e] = {e' G if | e' < e} denotes 
the configuration generated by e. Note, that each configuration C of a branching 
process P = {CN , tt) uniquely determines a causal process, containing C as set of 
events and all conditions connected to elements of C in CN as set of conditions. 
Arcs and labels are also inherited from CN. Hence, notions defined for (causal) 
processes may also be applied to configurations and vice versa. 

A configuration C defines a unique marking, consisting of exactly all condi- 
tions of CN which are marked after occurrence of all events of C: A co-set is a set 
B' of conditions of an occurrence net CN such that, for all b p^b' G B' , neither 
b <b' nor b' <b nor bffb'. A cut is a maximal co-set B' (w.r.t. to set inclusion). 
The cut of a finite configuration C is defined by Cut{C) = {Min{C) U C*)\'C. 
A configuration C of a process P = {CN,tt) defines a marking of CN by 
Mark{C) = p{Cut{C)). Note that a marking M is reachable in a P/T-net N 
iff the maximal branching process Pm of N contains some configuration C such 
that M = Mark{C). 

Figure l(ii) shows a causal branching process of the P/T-net underlying the 
time Petri net TNi. Names of conditions and events are omitted; the image of 
a vertex x under tt (also called label of x) is written beside it. 



2.2 A Temporal Logic for Safe P/T-Nets 

In this section we introduce the temporal logic C for safe P/T-nets defined in 
[ 9 ] . Later on we will extend this logic to time Petri nets and show how the model 
checking algorithm of [ 9 ] can be applied. 

Let A be a P/T-net. The syntax of C over N is presented in Figure 2 . 

Properties of the current marking of a P /T-net N are expressed using place 
assertions. E. g., a formula ‘si A S2’ expresses that places si and S2 are marked. 
‘Op’ means that a marking satisfying ‘p’ is reachable. The derived operator ‘Op’ 
signifies that ‘p’ is satisfied at all reachable markings. 
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p : 


true 


(Truth) 




1 s G Pn 


(Place Assertion) 




^P 


(Negation) 




\ pi /\p2 


(Conjunction) 




1 Op 


(Possibly p) 


false 


= -it rue 


(Falsehood) 


(i^i V P 2 ) 


= ^{^pi A - 11 ^ 2 ) 


(Disjunction) 


{pi ^ p2) 


= ^pl V p2 


(Implication) 


ap 


= —lO—ip 


(Always p) 



Fig. 2. Esparza’s Temporal Logic 



Satisfaction of a formula 4> w.r.t. a P/T-net N is defined inductively as fol- 
lows. Let C be a finite configuration of a branching process f3 of N. The super- 
script N is dropped if it is clear from the context. 



{P, C) 1=^ true 




iP,C) 


iff p G Mark{C) 


iP,C) -^p 


iff not {P, C) p 


iP,C) P1AP2 


iff (AC) A and (AC) P2 


iP,C) op 


iff {P, C) P for some finite configuration C' O C 


p 


iff (A0) h^P 


N p 


iS Pm P- 



The McMillan-unfolding of a P/T-net N was defined in [16] as a finite prefix 
of the maximal branching process Pm of N such that each reachable marking of 
N occurs as an image of some cut of this prefix. Let fV be a P/T-net and Pm its 
maximal branching process. Let T be a new event (‘pseudo-event’) and define 
[T] = 0. An event e G Em U {T} is a cut-ojf event iff there exists an event e' such 
that I [e'j |<| [e] | and Mark{[e]) = Mark{[e']). Let Efhe the set of events of Pm 
given by: e G if/ iff no event e' < e is a cut-off event. Pf = {Bf,Ef, Ef, tt/), the 
prefix of Pm having Ef as set of events, is called McMillan-unfolding of N and 
denoted by McM{N). It can be shown to be unique and finite. 

Let Sat{4>)N and Satf^p)^ denote, respectively, the set of finite configu- 
rations of the maximal branching process and the set of configurations of the 
McMillan-unfolding of the P/T-net N that satisfy p. Since Sat{p)]s[ = 0 implies 
(not N \= p) which is equivalent to TV ^ ^p, the model checking problem re- 
duces to checking emptiness of Sat{p)N- Esparza’s theorem [9] states that for 
the latter it is sufficient to inspect Satf{p)N- 

To simplify notation, a different but equivalent definition of the satisfaction 
relation will be applied in this paper. Let fV be a P/T-net, p an /1-formula, and 
M a marking of N. Then: 
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M \=' true 

M \=' p iff p S M 
M \=' ~-(j) iff not M \=' (f) 

M \=' (pi f\ (p2 iff M 1=' (pi and M \=' p2 

M \=' Op iff M' \=' p for some marking M' reachable from M 

N Y-' P iff Mil K (t>- 

Proposition 1. Let N be a P/T-net and p a formula over N. Then: 

N^PijfN^' p. 



2.3 Time Petri Nets 



Time Petri nets were introduced in [18]. Following the reasoning of [20,22], we 
consider time Petri nets with discrete time (also cf. [6]). 

A safe time Petri net TN net consists of a safe P/T-net (Ptn,Ttn,Ftn) 
and a transition inscription xtn '■ T T (where T = N x N) by closed time 
intervals with nonnegative integer bounds. The subscripts are omitted if clear 
from the context. 

For x{t) = {eft{t), lft{t)) we call eft{t) (lft{t), respectively) the earliest firing 
time {latest firing time, respectively) of t. The intended meaning is that eft{f) 
{lft{t), respectively) denotes the minimal (maximal, respectively) number of time 
units which may pass between enabling and occurrence of t. x{t) is denoted by 
{eft, Ift) if t is clear from the context. A time Petri net TN is called safe if its 
underlying P/T-net N is safe. 

A state {M, I) of a time Petri net is given by a marking M of the underlying 
P/T-net together with a clock vector I : T ^ (N U {$}) such that I{t) = 
$ or I{t) < lft{t) for all t G T. The clock vector associates a clock to each 
transition, showing the number of time units that have elapsed since enabling of 
the transition, the $-symbol indicating that the corresponding transition is not 
enabled at all. State {M, I) is called consistent iff, for all t G T, I{t) t G 

Enabled{M) . Only consistent states will be considered. 

For a clock vector / and a time delay 6* G N such that I{t) + 9 < lft{t) for 
all t G Enabled{M), (/ -|- 9) is defined by 



{I + 9){f) 



I{t) + 9 li t G Enabled{M) 
$ otherwise. 



The initial state {Mq, Iq) is given by the initial marking Mq of the underlying 
P /T-net and the initial clock vector Iq defined by 



r 0 if t G Enabled {M) 
\ $ otherwise. 



Two types of events are considered for a time Petri net, namely events during 
which time passes (called tic-events) and events during which a transition occurs 
(called occur-events): 
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1. Tic-event: The tic-event tic is fireable at state (M,I) iff no transition is 

forced to occur in between, i.e. iff for all t G Enabled(M), I{t) < lft{t). In 

this case, the successor state (M', I') is given by M' = M and 1). 

The tic-event is denoted by (M, I) (M', /'). 

2. Occur-events: An occur-event is fireable at state (M, I) iff some transition t 
may occur, i.e. if t G Enabled{M) and eft{t) < I (t) < lft{t). In this case, the 
successor state (M', I') is given by M' = (M\*t) U t* and 

r $ if t' ^ Enabled{M') 

I'{t') = S 0 ii t' ^ Enabled{M\* t) A G Enabled(M') 

[ I{t') otherwise. 

An occur-event is denoted by (M, I) (M', I'). 

A set of transitions is concurrently fireable from state {M,I) iff, 

for I < z < n, is fireable from state (M, I) and, for all 1 < z < j < n, 

*ti n *tj = 0. A firing schedule of a time Petri net TN is a finite or infinite 
sequence a = (to ti ^2 ■■■) such that, for all i, ti G T or ti = tic. a is fireable 
at state S' = Sq iff there exist states S(, S 2 , Sg, ... such that ti is fireable at S'. 
State S is called reachable from So via a iff some fireable firing schedule a leads 
from So to S. A marking M is reachable via a iff, for some clock vector I, there 
is a state (M, I) reachable via a. 

Consider the net TN i of Figure 1. The initial clock vector is given by 
= 0 and /o(t 2 ) = loitfi) = S. For example, the firing sched- 
ule a = {tic to ti tic tic tg to tic t\) is fireable at (Mo, lo). 

The behaviour of a time Petri net TN can be described by the reachability 
graph [20], which - in the case of P/T-nets - faces the same problems of not 
reflecting the concurrent behaviour, but instead representing all interleavings of 
concurrent events. 

The logic C may be extended to time Petri nets. Let TN be a time Petri net, 
(j) a formula, and (M, I) a marking of TN . The superscript TN is dropped if it 
is clear from the context. 



(M, 


I) 


hz™ 


true 








(M, 


I) 


hz™ 


P 


iff 


p € M 




(M, 


I) 


1 _™ 

Pi 


-n(j) 


iff 


not (M, 


I) hz™ ^ 


(M, 


I) 


hz™ 


A (j)2 iff 


(M,/) hz™ and (M,7) hz™ ^2 


(M, 


I) 


hz™ 




iff 


(M',T) 


\=™ (j) for some state 












(M',T) 


reachable from (M, I) 


TN 




hz™ 




iff 


(Mo, lo) 


hz™ 



E.g. property Q of the introductory example is expressed by the formula 
(j) = n((p 2 Apg) (^Po))> which is not satisfied by TN i. 

3 Expanding Time Restrictions 

In this section, the notion of time-expansion of a time Petri net TN into a P/T- 
net N = X{TN) is introduced. It is shown that N captures the behaviour of TN 
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in the sense that satisfaction w.r.t. the temporal logic L is preserved. In general, 
the size of X{TN) may be exponential in the size of TN, but the unfolding of 
TN may be generated without explicitly constructing X{TN) (cf. [11]). Still, the 
definition of X{TN) is needed to obtain a proper definition of the finite prefix 
of TN. 

For the construction of N we will start with the P/T-net underlying TN and 
then add parts representing the components of TN related to time. First, clock 
vectors have to be represented in N. This is done by adding new places for the 
possible clock positions for each transition t. 

Next, new transitions are introduced modelling tic-events. Since we would 
like to represent time dependence of conditions and events in TN by causal 
dependence in the time-expansion, these have to take into account also TN' s 
‘original’ places. The obvious solution is to introduce, for each state (M, I) of TN 
which enables a tic-event, a new transition, having M and the places representing 
/ as preset and M and the places representing (I+l) as postset. But, this solution 
causes a problem: If M' C M, then the tic-transition for instead of the 

tic-transition for (M, I) may fire, possibly leaving some places untouched. To 
avoid this problem, for each place p of TN , we introduce a new ‘complementary’ 
place Consequently, the marking part of (M, I) is represented by M U M'” 
where \ p G P A p ^ M} in N . 

At last, we have to re-adjust the transitions of TN, since these have to respect 
the complementary places and the clock places (fire-transitions). The first task 
is fulfilled by having U {p‘^ \ p G t*} as part of the preset and t* U {p‘^ \ P G *t} 
as part of the postset (except for those places which are contained in both preset 
and postset of t). The second task raises new problems (see figure 3). 




Fig. 3. Problems with updating of clocks 



First, consider the time Petri net in part (i) of figure 3. If both to and ti 
fire, then the clock for t 2 has to be started. But this can be decided neither 
by to nor by ti alone. We will solve this problem by allowing fire-transitions to 
produce an intermediate marking representing an inconsistent state and by in- 
troducing additional repair-transitions called update-transitions. Subsequently, 
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also the tic-transitions have to be re-adjusted to act properly on inconsistent 
states. Otherwise, faulty time distributions would be generated. 

Second, consider (ii) of figure 3. Note that to and t 2 are concurrently enabled. 
Upon firing, any of to and t 2 has to switch off the clock for ti. Hence, transitions 
modelling to and t 2 in N have to synchronize on the clock-places for U. This 
introduces a conflict between to and t 2 , i.e. concurrency gets lost. This problem 
may also be fixed by leaving switching off the clock for to some update- or 
tic-transition. 

Update- and tic-transitions are not sufficient to treat correctly the net of 
part (iii) of figure 3. Consider e.g. the state {{po,Pi}, H)- Here, to may occur, 
leading to {{pi,P 2 }, SO). But in the approach sketched here, the result would be 
({pi,P 2 }) Si), and there is no inconsistency between the marking part and the 
clock part of this state. Thus a repair-transition cannot help. The problem relies 
on the fact that t 2 becomes disabled and newly enabled at the same instance of 
time or equivalently, that a token is removed from pi and a token is put on pi 
at the same instance of time. 

In this special case the problem could be solved by introducing a private set 
of clock places w.r.t. ti for both to and f i , and by allowing firing of 1 1 only if both 
its clocks are running. This solution also works in the general case, but leads to a 
much more involved definition of time-expansion and to a bigger time-expanded 
net X{TN). Instead, we will restrict the class of nets under consideration by 
introducing a requirement of (local) time-divergence: If a place p loses its token 
at time 6, then no token will arrive at p before time 0-1-1^. 

Places of Petri nets denote (local) state. Hence, the divergent-time condition 
demands that if a local state is left it may not be entered again at the same 
instance of time. The latter property is fulfilled in many practical applications. 
Consider e.g. a resource with exclusive access: Here a local state (i.e. a place) may 
serve as a guard for the resource, a token in the place indicating availability of 
the resource. In this case, the time elapsing between the token leaving the place 
and a new token entering the place corresponds to the time for one allocation 
cycle of the resource. If time requirements are at all taken into account it is very 
reasonable to assume that this needs some non-zero amount of time. 

These considerations lead to the following definitions: 

Definition 1. [Divergent-Time Property] 

Let TN = {P, T, F, x, Mo) be a time Petri net. TN satisfies the divergent-time 
property (and is called DT-net) iff the following holds: If (U...f„) is enabled at 
{M,I) in TN such that then, for some z G {1, ...,n}, 

ti = tic. O 

Definition 2. [Time-Expansion] 

Let TN = {P, T, F, x, Mo) be a DT-net. The time- expansion of TN is given 
by the P/T-net X{TN) = (Px,Tx, Fx, Mx„) defined as follows: 

^ Note, that the requirement of locally divergent time is slightly stronger than that 
given in [3] , but may be fully released if the ‘multiple clock solution’ is chosen. 
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1. For each place p € P, a, new (complementary) place is introduced. The 
set of these places is denoted by 

2. For each transition t G T new places pf are introduced. The 

intended meaning of these places is to describe all possible clock positions 
for the corresponding transition t. The set of the new places is denoted as 
Clock, and the places are referred to as clock-places. 

3. For a clock function / of TN, let PL{I) = | t G T}. The time-expansion 

of a state (M, I) of TN is defined by X{M, I) = (M U U PL{I)), where 

= {p° I p G (P \ M)}. 

4. For each state (M, I) of TN such that a time-event may occur a new tran- 
sition tic{M,I) is introduced, having M U U PL{I) as its preset, and 
M U U PL{I') as its postset, where, for all v G T, 

( I{v) 1 I{v) yf $ A f G Enabled(M) 

/'(u) = < 1 I{v) = % A V G Enabled{M) 

[ $ otherwise. 

These transitions are intended to model time-events and, in addition, up- 
dating clock vectors. The set of these transitions is denoted as Tic, and the 
transitions are referred to as tic-transitions. 

5. For each transition t in TN and for eft{t) < i < lft{t), a new transition t{i) 
is introduced. The preset of t{i) is given by *t U {p° | p G (t* \ *t)} U {pj} 
and the postset by t* U {p° | p G (*t\ t*)} U {pf}. 

These transitions are intended to model changing of the marking. Moreover, 
the clock of the firing transition is switched off. The set of these transitions 
is denoted as Fire, and the transitions are referred to as fire- transitions. 

6. For each inconsistent state {M,I) of TN a new transition update{M, I) is 
generated. The preset of the transition update {M, I) is given by M U U 
PL{I) and the postset by M U U PL(I'), where, for all v G T, 

( I (v) /(u) yf $ A u G Enabled(M) 

/'(u) = i 0 I{v) = % Av G Enabled{M) 

y $ otherwise. 

These transitions are intended to model updating the clocks of newly acti- 
vated or deactivated transitions. The set of these transitions is denoted as 
Update, and the transitions are referred to as update-transitions. 

Hence, altogether we have Px = P U U Clock, Tx = Tie U Fire U Update, 
Ex as described above, and Mx^ = Mq U M§ U PL{Ifi). O 

Definition 3. Let TN be a DT-net and X{TN) its time-expansion. A marking 
M of X{TN) is called consistent iff | M n {p,p°} | = 1 for each p G P and 

I XI n {pf ,p°, ...pf*^*^} I = 1 and (pf G M <tA t ^ Enabled{M n P)) for all t gT. 

O 
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Theorem 1. Let TN = (P,T, F,x, Mq) be a DT-net.Then the following hold: 

(i) (M,I) ■■■,*«} (^M',1') in TN iff either 

M U U PL{I) ..,*„(/(*„))} M' U U PL{T) or 

M U U PlIi) MuJt'u PL(T) and 

M U M'" U PL(I) ^»pdate(M,7) y jy^fc y PL{I') in X{ TN) . 

(ii) The consistent state {M,I) is reachable in TN iff the consistent marking 
{M U U PL{I)) is reachable in X{TN). In particular, M is a reachable 
marking of TN iff M = M' n P for some reachable marking M' of X{TN). 

Figure 4 (i) shows a simple time Petri net TN 2 - The time expansion X{TN 2 ) 
(see figure 4 (ii)) shows up the strong connection between the ‘clock-net’ (on the 
right) and the ‘normal-net’ (on the left). Some update-transitions are omitted, 
c.f. update{{po\, 1$$) because the state (M,I) = ({po}) 1$$) is not consistent. 




Fig. 4. Time expansion example 
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4 Partial Order Model Checking of Time Petri Nets 

In section 2.3 we have extended the temporal logic £ to time Petri nets. In this 
section we will show that, for a time Petri net TN , the model checking problem 
w.r.t. C can be solved by applying Esparza’s model checking algorithm to the 
time expansion X{TN) of TN. 

Let e be a cut off event of a P/T-net N, and e° an event such that | [e°] |<| 
[e] I and Mark{[e\) = Mark{[e^]). As pointed out in [9], in this case the possible 
future after Cut{[e\) is isomorphic to the possible future after Cut{[e^\). This 
property is crucial for the proof of Esparza’s theorem. 

Figure 1 (iii) shows, that for a time Petri net TN the possible future after 
some finite configuration C also depends on the timing associated to C . It follows, 
that for a time Petri net TN that part of the McMillan-unfolding McM (N) of 
the underlying P/T-net N, which is realizable under the time restrictions, does 
not contain sufficient information to serve as a basis for model checking (cf. 
Figure 1 (ii)). 

The time-expansion X{TN) of a time Petri net TN, on the other hand, has all 
necessary information about future behaviour, cf. theorem 1. The connection of 
TN and X{TN) w.r.t. satisfaction of formulae is given by the following lemma, 
which states that a temporal logic formula 4> is time-satisfied by a state of a 
time Petri net TN iff it is satisfied by the corresponding marking of the time- 
expansion X{TN) of TN . 

Lemma 1. Let TN he a DT-net, (M, I) a reachable state of TN , and (j) a for- 
mula over TN . Let M = M U M‘^ U PL{L) he the time- expansion of 
Then 

(M,L) K™ (/. 

Corollary 1. Let TN be a DT-net and 4> a formula over TN . Then 
TN \=™ (j) iff X{TN) ^^(™) (j). 

Hence, by Esparza’s theorem, in order to check if TN satisfies a given for- 
mula (j), it is sufficient to consider the McMillan-unfolding of the time expansion 
X{TN). On the other hand, X{TN) - and therefore also its McMillan-unfolding 
- contains also some unnecessary information; e.g., conditions labeled by clock- 
places or complementary places which do not occur in formulas. If these are 
removed, also events labeled by update-transitions become meaningless, because 
then these just reproduce their presets. Events labeled by tic-transitions, on the 
other hand, will still be relevant because these are representing timed ordering of 
conditions. According to these considerations, we will simplify McM {X{TN)). 

Definition 4 (Reduced Unfolding). 

Let TN be a DT-net and let f) = {B, E, F, tt) be any branching process of 
its time-expansion. The reduced branching process R{(T) of j3 is constructed by 
performing the following steps: 

1. Remove from (3 all conditions labeled by clock- places or complementary 
places and all incidental arcs, resulting in a process /3i . 
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2. Remove from (3i all parts which are in conflict with an update-transition 
resulting in a process /? 2 - 

3. Remove from /?2 all events labeled by update-transitions and all incidental 
arcs. Each time such an event e is taken out, *e and e* are fused. This results 
in a process 

4. Rename the labels of all events: Label t{i) of event e is replaced by t. This 
results in a process (3^. 

5. For a conflguration C oi (3 the reduction R{C) is deflned by R{C) = C C] 
ER(f3)- 

O 

It is easy to see that reduction of a process (3 of X{TN) is well deflned, and 
that reduction preserves inclusion of configurations i.e., 

C C C" in /3 iff R{C) C R{C') in R{(3) 

for all configurations C, C in (3. 

Theorem 2. Let TN he a DT-net, (3 a process of X{TN), and (f) a C-formula 
over TN . Then it holds that 

Theorem 2 motivates the following definition: 

Definition 5 (McMillan-Unfolding). Let TN be a DT-net. The McMillan- 
unfolding of TN is defined by McM(TN) = R{McM (X{TN))). O 

The McMillan-unfolding McM ( TN \ ) of the time Petri net TN \ is shown in 
Figure 1 (iii). 

Next we will prove that, for a time Petri net TN , McM ( TN) satisfies exactly 
the same formulae as the McMillan-unfolding of X{TN). Let Satrf{4>)N denote 
the set of configurations of the reduced McMillan-unfolding of X{TN) that sat- 
isfy the T-formula (j) over TN . The following proposition is an easy consequence 
of theorem 2: 

Proposition 2. Let TN he a time Petri net and 6 he a C-formula over TN . 
Then 

Satrf{(j))x(TN) = ^ 'iff Satf{(j))x(TN) = 0 - 

Finally, putting together the puzzle, we can establish the key result of this 
paper, which states that a formula 4> is time-satisfied by a time Petri net TN iS 
it is satisfied by the McMillan-unfolding of the time-expansion of TN. 

Theorem 3. Let TN he a time Petri net, X{TN) its time expansion, and (j> a 
formula over TN . Then 



TN \=t (f iff Satrf{^(f)x(TN) = 0- 
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Consequently, to check of an /1-formula (j) against a time Petri net TN one 
has to compute the McMillan-unfolding McM{TN) and to check (j) against 
McM{TN). 

Note, that neither the explicit construction of X{TN) nor of McM{X{TN)) 
is needed for the construction of McM (TN). In [11] we present an algorithm, 
which is a refinement of the algorithm for the finite prefix given in [10]. We prove 
that with this algorithm, McM (TN) may be computed in 0(n logn) time, where 
n denotes the size (number of nodes) of McM ( TN). It is shown that the number 
of events in McM(TN) is bounded by the number of reachable states in TN , 
i.e. that the size of McM (TN) is at most linear in the size of the reachability 
graph of TN . Moreover, some examples of time Petri nets are presented whose 
finite prefix is substantially smaller than the reachability graph. 

5 Related Work 

Approaches to model checking of time Petri nets w.r.t. (timed) temporal log- 
ics are either based on the timed state graph (TSG) [23,24], or on the timed 
branching process [3, 15, 23]. 

In [24], model checking of safe time Petri nets with rational firing bounds 
w.r.t. a real time extension of linear time temporal logic is considered, which is 
based on differences between timing variables rather than absolute time points. 
A finite graph representing the state space is computed whose nodes consist 
of reachable markings augmented by additional sets of inequalities describing 
timing conditions. Since each reachable marking is represented by at least one 
node, this appraoch faces the state explosion problem. 

The time state graph construction of [24] is improved in [15] in several ways. 
First, a coarser semantics which does not take into account implicit ordering of 
events is considered. Second, the finite prefix of the underlying net is used to 
speed-up searching the time state graph. 

Model checking against TCTL is explored in [23]. Here, a region graph con- 
struction is used to compute a finite representation of the timed state space, cf. 
the construction for timed automata in [1]. 

A notion of timed process of a time Petri net, denoting a causal process which 
is realizable under the time constraints of the net, is introduced in [3]. A method 
is developed to compute all valid timings for a causal process of a time Petri net 
with divergent time. 

In [21], the class of safe time Petri nets is restricted to time independent 
choice nets and analysed w.r.t. reachability. The reachability checking algorithm 
is based on a finite prefix of the underlying net. Like in [24], timing conditions are 
represented explicitely by sets of inequalities as additional inscriptions of events. 
Using the prefix construction, an asynchronous circuit with bounded delay is 
verified w.r.t. hazard-freedom. 

The approach presented in this paper may also be compared to timed au- 
tomata (cf. e.g. [1]). E.g. checking reachability in a time Petri net TN can 
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be reduced to reachability analysis in a timed automaton TA in the follow- 
ing way: Given a safe time Petri net TN, first compute its reachability graph 
G = (V, E), giving the states and the transitions of TA. Introduce a clock ct for 
each transition t of TN. The insription of a transition M M' G E consists 
of the guard eft{t) < ci < and the set of clocks to be reset is given by 
{t' I t' G Enabled{M — *t)}. Moreover, for each state M, the invariant is given 
by true. Unfortunately, this construction is very expensive: First, the size of 
G may be exponential in the size of TN; second, in order to check reachability 
in TA, the region graph construction is needed, bringing along an additional 
exponential blow up. 

On the other hand, simulation of general timed automata by time Petri nets 
seems to be unfeasible. 

6 Conclusion 

We have defined the finite prefix of a time Petri net TN, based on the time- 
expansion of TN. By showing that this is sufficient for applying Esparza’s model 
checking algorithm for safe P/T-nets, we have established a first - but still 
substantial - step towards quantitative analysis of distributed real-time systems 
based on partial order semantics. The next steps will consist in extending our 
approach to real-time temporal logic. 

In [12], the language SDL/R was introduced which extends SDL (Specifica- 
tion and Description Language) by adding real-time requirements. For SDL/R, 
a denotational semantics was defined in terms of time M-nets, which form a class 
of compositional timed high level Petri nets. As pointed out in [12], time M-nets 
may be unfolded into safe time Petri nets. Hence, the result of this paper also 
suggests a new method for proving functional and qualitative temporal proper- 
ties of SDL/R-specifications. Currently, the new method is being integrated into 
the MOBY-tool (cf. [2]) and the PEP-tool (cf. [5]). 
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Abstract. We study at different levels of abstraction general semantic 
and algebraic properties of languages which are based on asynchronous 
communication. These different levels of abstraction concern the spe- 
cific nature of the communication mechanism. At the highest level we 
introduce a process algebra which characterizes asynchronous commu- 
nication in general, that is, when abstracting from the specific nature 
of the communication mechanism. This generic process algebra we fur- 
ther instantiate to algebras for different classes of languages. Considered 
are classes of languages which are based on a general monoid structure 
of the actions and classes of languages which are based on read/write 
operations. 



1 Introduction 

In this paper we investigate the semantics and equational theories, or process 
algebras as we call them, for the general paradigm of asynchronously communi- 
cating processes which has been introduced in Q. This paradigm encompasses 
such diverse systems as described by concurrent logic languages concurrent 
constraint languages imperative languages in which processes communi- 
cate by means of shared variables or asynchronous channels dataflow 
languages ^3, and coordination languages 

These systems have in common that processes communicate via some shared 
data structure. The asynchronous nature of the communication lies in the way 
access to this shared data structure is modelled: the data structure is updated by 
means of write primitives that have free access whereas the read primitives may 
suspend in case the data structure does not contain the information required by 
it. The execution of the read and write primitives are independent in the sense 
that they can take place at different times. This marks an essential difference 
with synchronously communicating processes, like CSP where reading from 
and writing to a channel has to take place at the same time. 

In 5 a generic concurrent language C is introduced which assumes given a 
set of basic (or atomic) actions. Statements are constructed from these actions by 
means of sequential composition, the plus operator for non-deterministic choice, 
the parallel operator, and recursion. The basic actions are interpreted by means 

Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 226-^^| 1999. 

@ Springer-Verlag Berlin Heidelberg 1999 



Generic Process Algebras for Asynchronous Communication 227 



of an interpretation function I as partially defined state transformations. When 
the interpretation 1(a) of a pure read action a is undefined in a state this means 
that the execution of a is suspended. A suspended process is forced to wait until 
actions of other processes produce a state in which it is enabled. A pure write 
action a is characterized by the fact that 1(a) is a totally defined function. It 
can always proceed autonomously. In general, an action can embody both a read 
and a write component. 



Many languages for asynchronously communicating processes can be ob- 
tained as instances of C by choosing the appropriate set of actions, the set 
of states and the interpretation function for the basic actions. For example, the 
imperative language described in Q, based on shared variables, can be mod- 
elled by taking as states functions from variables to values, as actions the set 
of assignments, and then the usual interpretation of an assignment as a state 
transformation. Languages based on the blackboard model ^3, like Linda ^3 
and Shared Prolog ^ can be modelled analogously, by taking as states the con- 
figurations of a centralized data structure (the blackboard) and as actions checks 
and updates of the blackboard. Another example is the class of concurrent con- 
straint languages These are modelled by interpreting the abstract set of 
states as a constraint system and the actions as ask/tell primitives. Concurrent 
logic languages, like Flat Concurrent Prolog can be obtained by interpreting 
the states as the bindings established on the logical variables, and the actions 
as the unification steps. An asynchronous variant of CCS is modelled by 

considering the state as a set (or a multi-set) of actions. Performing an action 
then corresponds to adding it to the set, while performing the complementary 
action corresponds to testing whether the action is already in the set. Finally, 
a variant of CSP based on asynchronous channels (see also ^J), can be 
obtained by taking as states the configurations of the channels and as actions 
the input-output primitives on these channels. 



The basic computation model of £ is described in Q by means of a labelled 
transition system which is defined parametric with respect to the interpreta- 
tion function I. It specifies for every statement what (initial) steps it can take. 
Each step results in a state transformation, which is registered in the label: as 
labels we use pairs of states. Based on this transition system, we define the ini- 
tial/final state semantics of statements which distinguishes between the results 
of successfully terminating and deadlocking computations. 



In this paper we study the congruence relation induced by the initial/final 
state semantics at different levels of abstraction. Our first result is a denotational 
characterization of this congruence relation at the highest level of abstraction, 
that is, when abstracting from the actual interpretation function I. This denota- 
tional model is based on reactive sequences as introduced in Q. It is also defined 
parametric with respect to the interpretation function. In this model a compu- 
tation is described as a sequence of pairs of states, a so-called reactive sequence. 
A pair of states encodes the state transformation which occurred during a single 
(atomic) transition step. These sequences are not necessarily connected, i.e. the 
final state of a pair can be different from the initial state of the following pair. 
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These “gaps” represent the possible steps made by the environment. We show 
that this model based on reactive sequences is fully abstract with respect to the 
initial/final state semantics in the following generic sense: two processes have 
in every interpretation the same set of reactive sequences if and only if in every 
interpretation they are observationally congruent. 

In general the standard full abstraction statement for a given interpretation 
I does not hold. For example, the interpretation I which models shared variable 
concurrency requires some further abstractions (notably, abstraction from finite 
stuttering and the granularity of interleaving) . In general these abstractions con- 
cern the specific nature of the underlying computational model as described by 
the given interpretation. 

Next, we show that two processes have in every interpretation the same set 
of reactive sequences if and only if they have the same failure semantics. This 
failure semantics as described in is defined directly in terms of the uninter- 
preted actions of £. As such we have obtained a correspondence between the 
state-based interpretation of the language £ and its action-based interpretation 
as studied in process algebras like PA or AGP []]. That is, the intersection of the 
congruence relations induced by the initial/final state semantics of any instanti- 
ation of £ coincides with the failure semantics of £. It is worthwhile to observe 
here that the (action-based) failure semantics of £ does not coincide with the 
maximal traces (of actions) of £ because £ does not include the encapsulation 
operator of AGP which allows one to hide actions. As such the maximal traces 
semantics of £ already constitutes a congruence relation. However this action- 
based semantics of £ does not capture the deadlock behavior as described by the 
initial/final state semantics of £. This deadlock behavior instead is captured by 
the failure semantics. Gonsequently the standard failure axioms of Q provide a 
general complete axiomatization of asynchronous communication, that is, these 
axioms characterize what holds in any parallel programming language based on 
an asynchronous communication mechanism. 

We proceed our investigation by considering the specific nature of the basic 
actions of certain classes of instantiations of £. First we consider instantiations 
which are based on a monoid structure of the basic actions. This monoid de- 
scribes the internal structure of actions in terms of a state-based composition 
operation. That is, actions as state-transformations now can be viewed as be- 
ing composed of other state-transformations. In this view, the ‘silent step’ r 
of process algebras like AGP, denotes the (total) identity transformation, and 
the ‘inaction’ S denotes the transformation which is undefined in every state. 
Our second main result is that a generic fully abstract state-based model for 
languages based on the (functional) composition of actions requires abstraction 
from finite stuttering and the granularity of interleaving. A complete and generic 
algebraic characterization is given of these abstractions. 

We conclude with an axiomatization of read and write actions. In general a 
read action is a partially defined identity function (on the set of states) whereas a 
write action is defined in every state, that is, it never blocks. Moreover we further 
refine this axiomatization to the class of so-called monotonic languages. These 
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languages are based on a monotonic interpretation of the actions with respect 
to a given information-ordering on states. Characteristic instances of this class 
are the concurrent logic (constraint) languages. 

1.1 Comparison with Related Work 

Most existing works on process algebras of asynchronous communication concern 
particular programming languages One of the main contribu- 

tions of this paper is to provide a general framework for studying algebraic prop- 
erties of classes of languages, instead of one particular language. These classes 
represent different asynchronous communication mechanisms which are defined 
in terms of some general semantic characteristics of the basic actions. 

Our approach allows for interesting generalizations of various existing seman- 
tic models and algebras. For example, in H a fully abstract model is given for 
a concurrent imperative language based on shared-variables. We generalize this 
model in two dimensions. First of all we give a general semantic treatment of 
deadlock in languages based on asynchronous communication (in Q only the 
results of successfully terminating computations are considered). Moreover, we 
show that the abstraction from finite stuttering and granularity of interleaving 
defined in Q and Q apply to all instantiations of C which are based on a monoid 
structure of actions. 

Other generalizations concern the axiomatization of read and write actions 
and the axiomatization of certain commutativity properties of actions as de- 
scribed in We axiomatize these properties in terms of a general class of 

monotonic interpretations. 

2 The Language C and Its Operational Semantics 

In this section we introduce the language C and define its operational semantics 
by means of a transition system. 

Definition 1. Let (a G)A be an infinite but countable set of aetions and let 
(x s) Var be a set of (statement) variables. We define the set (s g)£ of statements 
as follows: 

s ::= a|a;|s;t|s-|-t|s||t| ^x.s 
Moreover, L eontains a special E, the terminated statement. 

The symbols ‘;’i ‘+’ and ‘|j’ represent the sequential, the choice and the 
parallel operator respectively. In the statement ixx.s, the free ocurrences of x in 
s are interpreted recursively as the statement p.x.s itself. By s[p,x.s/x\ we denote 
the statement obtained by substituting p,x.s for each free occurrence of x in s. 
In the following we consider only closed statements (without free variables) . 

Definition 2. An interpretation I eonsists of a set (cr €)S of states and an 
assiqnment of a state-transformation 1(a) € E —>■ E\ to each action a, where 
andEi_ = ru{T}. 
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Actions are thus interpreted as partially defined functions on the set of states: 
I (a) (a) =_L indicates that I (a) is not defined in a. 

Given an interpretation I the computational model of C is described by a 
labelled transition- system (C, Label, —>■). The set (A &)Label of labels is defined 
by Label = S x E. A label represents the state tranformation caused by the 
action performed during the transition step. 

Definition 3. The transition relation £ x Label xC is defined as the small- 
est relation satisfying the following axiom and rules: 

— For a' = I(a)(a) we have a E. 

— If s s' then 

s; t s']t s-\- 1 s' t-\- s s' s II t s' II t t II s t || s' 



If s' = E then read t for s'; t, s' || t and t || s' in the clauses above. 

— If s[iJ,x.s/x] s' then iix.s s'. 

For s E we introduce s E to indicate that there does not exist a state a' 

, {<7,(7') . 

and a statement s such that s — > s . 



Note that the transition system depends on a given / (this dependence we 
leave implicit). On the basis of the transition system we introduce the following 
notion of observables. 

Definition 4. Let A+ = E x {A,E}. Given an interpretation I, we define 
/(s) G E ^ V{E'^) recursively by 

I{s){a) = I s s'} U {{a, A) \ s E} 

We define I{E){a) = {{a,E)}, for every a G E. This recursive definition of 
I : C ^ {E ^ V{E X {A,E})) can be justified formally as the least fixed 
point (defined with respect pointwise extended set-inclusion) of a corresponding 
operator. 

The observables /(s) records for each input state a both the final results 
of successfully terminating and deadlocking computations of s in a. Successful! 
termination is denoted by E and deadlock is indicated by Z\. 



3 A Generic Process Algebra 

In this section we introduce a generic process algebra for asynchronous commu- 
nication. Its generic! ty lies in the fact that we abstract from the specific nature 
of the asynchronous communication mechanism. This abstraction is captured by 
the following congruence relation. 
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Definition 5. Wt define s = t if and only if for every interpretation I, 7(c[s]) = 
I(c[t]), for every context c[x\. A context c[x\ is simply a statement with a free 
statement-variable x. The result of replacing every occurrence of x in c[x] by a 
statement s is denoted by c[s] . 

The relation s = t thus describes the identities between statements which 
hold in every interpretation; this is reflected by the presence of universal quan- 
tification on both contexts and interpretations. The following definition (which 
already appeared in Q) gives a denotational characterization of this relation 
which assigns to each statement a set of reactive sequences. 

Definition 6 . Let I be an interpretation. Let D = {E x with typical 

element oj. Elements of D are also called reactive sequences. For R C D and 
label X we define A-i?={A-o;| to G R} (here ■ denotes the prefix operation). 
We define /(s) CD recursively by 

i{s) = U{A • i{t) \ s^t}C {(a, Z\) I s E} 

We define I{E)(s) = {e} (the empty sequence is denoted by e). The formal jus- 
tification of this recursive definition of L can be given as the least fixed point 
(defined with respect pointwise extended set-inclusion) of a corresponding opera- 
tor. 

The proof of the following theorem can be found in Q. 

Theorem 1. The relation s t defined by 7(s) = I(t), for all L, is a congruence 
relation. 

We are now able to state the following generic full abstractness result. 

Theorem 2. For any statement s and t, s = t ii and only if s « t. 

Proof. The i/part directly follows from the compositionality result of Theorem^ 
and by the fact that for every s (distinct from E) and a the set 7(s)(cr) can be 
obtained from 7(s) in the following way 

7(s)((Ti) = {(cr„+i,£l) I (cri,(T 2 )(o' 2 ,cr 3 )...((T„,(T„+i) e 7(s)}U 
{((T„,Z\) I (( 71 ,( 72 ) (( 72 , 0 - 3 )... (cr„,Z\) G 7(s)} 

Note that we consider sequences of connected pairs of states, namely, the sec- 
ond state of a pair is the first one of the next pair. Such sequences represent 
computations of s viewed as a closed system. 

In order to prove the only i/part we proceed by contraposition. We assume 
s ^ t; this ensures the existence of an interpretation 7 such that 7(s) yf L{t). 
Without loss of generality we may assume the existence of a reactive sequence 
uj such that oj G 7(s) \I{t). There are two cases, oj = (cri, cr)) (( 72 , (7^) . . . (cr„, a'.^) 
or OJ = ((7i, ct()((72, CT 2 ) ■ ■ ■ Wn, ^)- We present only the proof for the first case; 
the other one is treated similarly. 
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Let S be the set of states of I. We define a new interpretation /' with the 
state space {w g)S* consisting of all (finite) sequences of states in S and the 
following interpretation of the basic actions: 

I'{a) = Xw. if w ^ e then w ■ I{a){last{w)) else J- 

where • denotes the append operation, as a special case we define w- -L=-L; the 
last element of the non-empty sequence w is denoted by last{w). In this way we 
have encoded the history of the computation in the actual state. 

We now consider a statement r = oi; . . a„_i such that each action Ui is 
fresh in the sense that it does not occur in s or in t. Such an action Oi is used 
to fill the gap between the states cti . . . ct' and cti . . . 



/'(oi) = Aw. if w = (Ti . . .cr' then w • (Ji+i else _L 



It is now easy to see that I'{s || r){ai) yf I'{t || r){ai) (hence also s ^ t). 

In fact (<Ti . . if) G I{s II r){ai) \ I{t || r){ai), otherwise we would 

have to € I (t) which contradicts the above assumption. □ 

However, given an interpretation I, in general the usual full abstraction state- 
ment 



I{s) = I{t) if and only if for every context c[], i(c[s]) = I{c[t]) 

does not hold. For example, the interpretation / which models shared variable 
concurrency requires some further abstractions (notably, abstraction from finite 
stuttering and the granularity of interleaving). These abstractions in general 
however concern the specific nature of the underlying computational model as 
described by the given interpretation. 

We now show that the relation « coincides with the failure semantics of the 
(uninterpreted) language L. 

Definition 7. Consider the usual labelled transition system s — ^ t indicating 
that the statement s can reach t performing an action a (e.g. a; s — ^ s). With 
s t we mean that t can be reached after having performed the (finite) sequence 
of actions w (i.e. if w is the empty sequence then s = t, otherwise, if w is the 
sequence oi . . .a„ then s tj. Let Init{s) be the set of labels a such 

that s — ^ t for some t. We define 

F{s) = {{w,E) I s E}U 

{(w, E) I s t, t E, and T C A s.t. T C\ Initft) = 0} 

Given a statement s, E{s) is the set of the pairs (w,E), where the sequence of 
actions w (performed by s) leads to the termination statement E, and (w,E), 
where the sequence of actions w (performed by s) leads to a statement different 
from E that is not able to perform the actions in T . 
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Theorem 3. For any statement s and t, s ~ t if and only if F{s) = F(t). 

Proof. The part follows from the fact that for every s, I{s) can be obtained 
from the set F{s) (for example, a deadlock state {a, A) is derived from a failure 
set T by the condition that I{a){a) =_L, for a ^ T). 

In order to prove the only i/part we proceed by contraposition. Assume that 
F{s) yf F{t)] without loss of generality we may assume the existence of a pair 
(w, T) (or (w, E)) contained in F(s) \ F{t). We present only the case of {w, E), 
as the other one is treated similarly. 

Consider the interpretation I whose actions are defined on (finite) sequences 
Ai . . . An of sets of actions (i.e. Ai C A) in the following manner: 



I{a) = A Ai . . . A„.if a € Ai then A2 . . .An else _L. 



Let w = oi . . . a„; we have that /(s)({oi} . . . {a„}lC) /(t) ({oi} ... {a„}lF). 

In fact {E, A) € /(s)({oi} . . . {an}E) \ I{t){{ai} . . . {an}E), otherwise we have 
{w,E) G F{t) which contradicts the above assumption. This ensures that s ^ t, 
and so we have s 9^ f by Theorem J □ 

By Theorem H the well-known algebraic laws which characterize the failure 
equivalence for PA processes (that is, AGP processes without the synchronous 
communication function, see Q) in Table 1 give a complete axiomatization of 
s « t for finite statements. 




Table 1. Axioms for failure equivalence. 
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The failure axioms thus provide a general characterization of asynchronous 
communication when abstracting from the particular nature of the actions. 

4 The Monoid of Actions 

As the set of actions we now consider not just a generic set A but a monoid 
(A, o), with neutral element r and zero element S (i.e. Toa = aor=a and 

5 o a = a o 6 = S). The operation o is interpreted as functional composition 
of state-transformations. We restrict our analysis to the class of interpretation 
functions which are monoidal. 

Definition 8. A monoidal interpretation I consists of a set {a €)S of states 
and an assignment of a state-transformation I (a) G S ^ S±_ to each action a, 
which satisfies the monoid structure: 

— I{t) = Act. ct, 

— I {5) = Act. T, 

— I{aob) = Xa. if 1(a) (a) then 1(b) (I (a) (a)) else A. 

The action r denotes the identity function and 5 denotes the nowhere defined 
function. The composite action a o 6 is interpreted as the composition of the 
interpretations of a and b. 

Given the additional monoid structure on actions the congruence s « t no 
longer coincides with s = t. For example we have that a = a a;r (in fact, 
a = a;r) and a;b= a; b-\- aob but we do not have a « a; r or a; 6 « a; 6 -I- a o 6: 
For every monoidal interpretation I we have 

1(a) = {(a, a') \ /(a)(CT) = ct'} U {(ct, Z\) | I(a)(a) =±} 

whereas 

/(a;r) = |(ct,ct')(ct",ct") I /(o)(ct) = ct'} U {(ct, Z\) | /(o)(ct) =T}. 
Moreover, 

i(a; b) = 

{(cti,CT2)(ct3,CT4) I /(a)(CTi)=CT2, /(^((cts) = CT4}U 
{(cti,CT2)(ct3,Z\) I /(a)(CTi) = CT2, I(b)(a3) =T}U 
{(ct,A)| I(a)(a)=±} 

whereas 

I(a;b-\- a o b) = I (a; b) U I (a o b). 

Therefore we introduce the following abstraction operation. 

Definition 9. Let a(R), for R C D, be the smallest set containing R which is 
closed under the following conditions: 

Cl W\W 2 G R Wi(a, a)w 2 G R (w\ yf e) 

C2 w G R (o’, (j)w G R ((ct, Z\) ^ R) 

C3 wi(a,a')(a'a")w 2 G R^ wi(a, a")w 2 G R 
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The first two closure conditions introduce finite stuttering. The third condi- 
tion ‘internalizes’ interleaving points. The restrictions on the conditions Cl and 
C2 ensure correctness (without these restrictions we would identify, for example, 
S and r; (5). 

Definition 10. We introduce the semantics la defined by Ia(s) = a(/(s)). 
Moreover, we define s t if and only if Ia{s) = Ia{t), for every I. 

We have the following generic full abstraction result for monoidal interpretations. 

Theorem 4. For any statement s and t, s «q, t if and only if s = t. 

Proof. The implication s t ^ s = t follows from the compostionality of la 
and its correctness with respect to the initial/final state semantics. 

With respect to the proof of the implication s '^a t ^ s ^ t we first observe 
that the construction of a distinguishing context in the proof of Theorem^which 
is based on sequences of states (of the state-space of the given interpretation) 
does not apply here because the resulting interpretation does not satisfy the 
monoid structure: the interpretation of r does not correspond with the identity 
function and the interpretation of a composed action a o b does not correspond 
with the (functional) composition of the interpretations of a and b. 

Instead we define now the distinguishing context in terms of the state-space of 
the interpretation I for which Ia{s) yf Ia{t) holds: Let w = (cti, a'f) . . . ((t„, a(j) G 
Ia{s) \ Ia{t) (the case of w ending in deadlock is treated similarly). We define 
a new interpretation J with the same state space E as that of the given in- 
terpretation I such that for every action a occurring in s or t, J{a) = I {a). 
Furthermore let a^, 1 < i < n, be some new actions not occurring in s or t. 
Without loss of generality we may assume that these actions are atomic in the 
following sense: If a = 6 o c then either a = b and c = r or a = c and b = t. We 
define J{ai) = {(cr', (Ti+i)} (so transforms cr' into cfi+i and blocks in every 
other state). Let r = ai;...;a„_i. It follows that G J(s || r){ai). More- 
over, for any statement u, with oi, . . .,a„_i not occurring in u, we have that 

G J{u II r){ai) implies uj G Ja{u). We sketch the basic reasoning pattern un- 
derlying this implication: Let oj' be a succesfully terminating computation (more 
precisely, a connected reactive sequence) of u || r starting in cti and resulting in 
(t(j. It follows that for every action ai there exists a computation step (cr), cn+i) 
in Lj' such that the execution of u has transformed Ui by some finite number of 
computation steps into <t'. By the closure condition C3 these consecutive com- 
putation steps of u are represented in Ja(u) also by the one computation step 
(ci, cr(_|_i). In case ai = we can also apply the closure condition Cl or C2 
(it is not difficult to see that (t(j G J{u || r){ai) implies (cti, A) ^ Ja{u)). □ 

Also here we have that the usual full abstractness result for a given la does 
not hold. For example, the monoidal interpretation based on concurrent con- 
straint programming requires some further abstractions which stem from the 
monotonicity of the basic actions (see Q and below) . 
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With the introduction of the monoid structure on actions the failure equiv- 
alence defined above must be changed in order to cope with the fixed interpre- 
tation of the T and 5 actions and the composition operator o. 

Definition 11. Let a he an action different from t and 6: by s — t we mean 
that there exist a\ . . .an and s\ . . . s„_i such that s si t and 

a = oi o 02 o . . . o a„. Let w be a sequence of actions different from t and S; by 
s — >a t we mean the following: if w is the empty sequence then t can he reached 
from s via a non-empty sequence of t actions, otherwise, if w is the sequence 
a\ . . .Qn then s -^a ■ ■ ■ ~^a t. We define 

F^is) = {{w,E)\s^^ E}U 

{{w,E) I s t, T ^ Lnit(t), and E C A s.t. F n Lnitft) = 0} 



where Lnit has been defined in Definition 3. 5 on the initial transition system - 



In the definition of Fa we consider the condition r ^ Lnit(t), where Lnit(t) 
denotes the set of initial actions of t according to the original transition relation 
t — ^ t' {t ^ E), because only failures of stable statements (as they are called in 
must be taken into account. A statement s which is able to perform an 
initial r action is not stable, in the sense that it is always able to perform this 
kind of action whatever is the actual state of the computation. 



Theorem 5. For any statement s and t, s t if and only if Fa{s) = Fa(t). 

Proof. We have to resort to a different proof than that of Theorem H because 
the interpretation defined in that proof does not satisfy the monoidal structure. 

Instead, we show in the full paper that for every two statements s and t there 
exist statements s' and t' such that /a(s) = Ia{t) if and only if /(s') = I{t!), for 
every monoidal interpretation /, and Fa{s) = Fait) if and only if F(s') = F{t'). 
And so we can apply Theorem^ In fact, the statements s' and t' can be obtained 
by the rewrite rules s; r ^ s and a; (5; s -|- f) a; (5; s -I- f) -I- a o 6; s (or 

a',{b-\-t) ^ a] {b 1) a o b) . □ 



In order to give a complete axiomatization (for finite statements) of this new 
failure semantics we have to add to the axioms in Table 1 new axioms dealing 
with the special S and r actions, and the composition operator o. In Table 2 
we present the deadlock laws D for the 6 action, the axioms T for r, and the 
contraction laws C for the composition operator o. 

Theorem 6. For any statement s and t, 

s t if and only ifA-|-M-|-F-|-D-|-T-|-CI-s = f 

It is of interest to observe that we do not consider the standard r-law s = s; r 
but a weaker version s = s -I- s; r. In fact, we will see in the following that the 
standard law is now derivable by its weaker version due to the presence of the 
contraction laws. Moreover, we introduced this kind of axiomatization because it 
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D1 


s -1- (5 = s 




D2 


S’, s = S 




Tl 


S = S S’,T 




T2 


a-,{T-s-\-t) -- 


= a; (t; s 1) a-,T - s 


T3 


a;(r-|-t) = 


o; (t -1- t) -1- a; r 


Cl 


a; (6; s -|- t) = 


= a; (6; s -1- t) -f a o 6; s 


C2 


a; (b + t) = 


a\ {b 1) a o b 



Table 2. The Laws for <5, r and o. 



is possible to prove that there is a strong connection between, on the one hand, 
abstraction of granularity and the contraction laws Cl and C2, and, on the other 
hand, finite stuttering and the r-laws Tl, T2, and T3. 

Theorem 7. Let a\ denote the abstraction operation corresponding to the clo- 
sure conditions Cl and C2. We define lai(s) C D by ai(/(s)). Here ai{R), 
for R C D, is defined as the smallest set containing R which is closed under the 
closure conditions Cl and C2. We have 



s t if and only ifA + M + F + D + Ths = t 

where s t if and only if I a^{s) = Ia^{t), for every I. 

Let «2 denote the abstraction operation corresponding to the closure condition 
C3. We define /a 2 (s) fk D by a 2 {I{s)). Here a 2 {R), for R C D is defined as the 
smallest set containing R which is closed under the closure condition C3. We 
have 

s t if and only ifA + M + F + D + CI-s = t 

where s t if and only if I a^{s) = for every L. 

An alternative axiomatization of the contraction laws consists of the intro- 
duction of the o operator to statements. 



Definition 12 

- Ifs 



We have the following transition rules for o: 



^ s' then sot s' ot where s' is assumed to be distinct from E. 



— If s E and t ^ got 



t' 



The operator o is associative and is distributive wrt -I- and ; (see Table 3). 
The ‘contraction’ law can be now described by the axiom in Table 4. 
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B1 


{s ot) o u = 


s o {to u) 




B2 


S o (t; It) = 


{s o t); u 




B3 


(s;t)ou = 


s\ [t o u) 




B4 


s o {t + u) = 


(s o t) + (s o 


u) 


B5 


{s + t) o u = 


(s o u) + (t o 


u) 



Table 3. Associativity and Distributivity of o. 



B6 s\t = s\t + s o t 



Table 4. The Contraction Law. 



Theorem 8. For any statement s and t, 

s t if and only ifA + M + F + D + T + Bhs = t 

Under this alternative characterization it is clear that the standard r-law 
s = s; r is derivable. Indeed, we have that s = s+s; r by T1 and s; r = s; r+sor; 
but it is easy to prove that s o r = s hence also s;t = s;t + s. 

Of interest is that a similar operator o has been introduced already in Q for 
modeling mutual exclusion. The main difference with our axiomatization is that 
we use the operator of mutual exclusion to model the abstraction from internal 
interleaving points. This abstraction is captured by the Contraction Law. 



5 Read and Write Actions 

In this section we briefly discuss a generic process algebra for read and write 
actions (in the context of a monoid of actions). We assume a partitioning of 
the set of actions into the sets write and read of write and read actions. Write 
actions are autonomous actions which never block, i.e. for every interpretation 
I and write action a we have that I{a){a) yf_L. For a S read we require that 
I (a) (a) = (T if I (a) (a) is defined. Note that thus r and 6 are special kind of read 
actions. Table 5 gives an algebraic characterization of the read and write actions. 
The axioms W1 and W2 describe the autonomous nature of the write action with 
respect to the plus operator. The axiom R captures the interplay between write 
and read actions. Note that we do not have a = b; a because the read action b 
in general introduces deadlock. For example, the initial/final state semantics of 
a + b and b; a + b in general differ: Let I be an interpretation such that I(b){a) 
is undefined. The execution of 5; a + 6 in ct then will deadlock whereas a + b will 
result in I (a) (a). 
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W1 


a; (6; s 1) 


= a; (&; s 1) a-, b-, s 


b e write 


W2 


a; (6 -1- t) 


= a; (6 -|- t) -1- a; 6 


b e write 


R 


a 


= a -|- 6; a 


a e write, b e read 



Table 5. Read and write actions. 



Next we consider monotonic read and write actions. 

Definition 13. Given an information ordering G on the set of states a mono- 
tonic interpretation assigns to each action a monotonic function. 

Characteristic instances of this class are the concurrent constraint languages. 
Table 6 gives an algebraic characterization of these monotonic interpretations. 
The axioms MRl and MR2 describe a characteristic commutativity property of 
the read actions in monotonic interpretations. 



MRl 


a; (6; s -|- t) 


= a; (&; s -|- t) -1- 6; a; s 6 € read 


MR2 


a; (6 -1- t) 


= a; (6 -1- t) -f &; a b £ read 



Table 6. Monotonic interpretations. 



We refer to the full paper for the completeness proof of the above axiomati- 
zations. 

6 Conclusion and Future Work 

We have introduced a general framework C for the study of process algebras 
of concurrent languages based on asynchronous communication. We have ar- 
gued that in this framework the failure semantics as developed for action-based 
process algebras like AGP coincides with the initial/final state semantics of C. 
Furthermore we have given a generic process algebra for instantiations of C 
which are based on a state-based composition operation of the actions. Finally, 
we concluded with a generic characterization of read and write actions. 

Currently we are investigating instantiations of C which involve an infor- 
mation ordering on the set of states. An interesting class of such instantiations 
are those which interpret the actions as closure operators (concurrent constraint 
programming is such an instantiation), i.e. 
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— I (a) is extensive {a G I (a) {a)) 

— I{a) is idempotent {I {a) {I (a) (a)) = I{a){a)). 

Of interest also is a generic process algebra of so-called get actions which remove 
information, i.e. I (a) (a) G a. 

Another line of research involves the introduction of a general state-based 
hiding operator in the language C. To this end we envisage the introduction of 
instantiations of C which are based on cylindric algebras The general notion 
of existential quantification as given by these algebras then will provide a basis 
for the introduction of a corresponding programming construct in the language 
C. 
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Abstract. A configuration of a timed automaton is given by a control 
state and finitely many clock (real) values. We show here that the bi- 
nary reachability relation between configurations of a timed automaton 
is definable in an additive theory of real numbers, which is decidable. 
This result implies the decidability of model checking for some proper- 
ties which cannot be expressed in timed temporal logics and provide with 
alternative proofs of some known decidable properties. Our proof relies 
on two intermediate results: 1. Every timed automaton can be effectively 
emulated by a timed automaton which does not contain nested loops. 2. 
The binary reachability relation for counter automata without nested 
loops (called here flat automata) is expressible in the additive theory of 
integers (resp. real numbers). The second result can be derived from 



1 Introduction 

Timed automata have been introduced in Q to model real time systems and 
became quickly a standard. They roughly consist in adding to finite state au- 
tomata a finite number of clocks which grow at the same speed. Each transition 
comes together with some clock resets and an enabling condition, whose satis- 
faction depends on the current clock values. Temporal properties of real time 
systems have been expressed and studied through temporal logics such as TPTL 

MITL TCTL timed ^-calculi ^3^9- These logics are in general 

undecidable, with the notable exception of MITL. On the other hand, the model- 
checking is decidable for the (real-time) branching time logics, though hard in 
general. 

Timed models are harder than untimed ones since they can be seen as infinite 
state systems in which every configuration consists of a pair of a control state 
(out of a finite set) and a vector of real clock values. Reasoning about possible 
clocks values in each state is the core of the difficulty. In this paper, we adopt the 
following point of view: infinite sets of configurations can be finitely described 
using constraints. For instance, “(g, x > y + z)” is the set of configurations 
in control state q and such that the clock x is larger than the sum of clocks 
y and z. This point of view is not new, as the regions of Q, which are used 
in a crucial way in the verification algorithm, are indeed a representation of 
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sets of configurations indeed. Here, we go one step further: we express not only 
sets of configurations, but also relations between configurations in a (decidable) 
constraint system. Then temporal properties of the model are described through 
the binary reachability relation — > relating clock values, which is expressible in 

the constraint system. Since we may always assume that there is a clock r which 
is never reset by the automaton (and hence is a witness of the total elapsed time), 
we may express for instance some delay conditions such as “d is a delay between 
q and 9 '” as a constraint: 3®, x', T.{q, x, r) A {q' , x' , r+d). Now it is possible to 

analyse delays between some events such as finding minimal or maximal delays. 
There are already algorithms which find such extremal delays Q, but we may 
also decide properties such as: “the delay between event a and event b is never 
larger than twice the delay between event a' and event 6 '” (which is, up to 
our knowledge, a new decidability result). More generally, our main result is 
that the binary reachability relation between clocks values, which is defined 
by a timed automaton, is effectively expressible in the additive theory of real 
numbers. Since the additive theory of real numbers is decidable, any property 
which can be expressed in this theory using the reachability relation, can be 
decided. In particular, we can compute reachable configurations from a definable 
set of configurations as well as the set of configurations from which we can reach a 
definable set. Hence we have forward and backward model-checking algorithms 
of safety properties as simple instances of our result. But we may also check 
properties which express relations between the original and final clock values. 
Also, some parametric verification is possible as we may keep free variables in 
the description of original and final configurations: for safety properties, the 
results of can be derived from our main result. Finally, we can handle more 
general models than timed automata: transitions may be guarded by arbitrary 
first-order formulas over clocks, provided that such transitions can only be fired 
a bounded number of times. 

On the negative side, not all timed temporal properties can be expressed in 
the first-order theory of — *■ . Typically, unavoidability is not expressible. This 

is not surprising since our logic is decidable, whereas the timed temporal logics 
are not in general. 

Our main result is proved in two steps: first we show that any timed automa- 
ton can be emulated by an automaton without nested loops, hereafter called flat 
automaton. The notion of emulation will be precised, but keep only in mind that 
it preserves the reachability relation. Hence, in some sense, timed automata with 
a star height n are not more expressive than timed automata with star height 1 . 
(This is not true, of course, if we consider the accepted language instead of the 
reachability relation as an equivalence on automata). The second step consists 
of applying one of our former results, which shows that the reachability relation 
is effectively expressible in the additive theory of real (resp. integer) numbers 
for flat counter automata We go from timed automata to automata with 
counters using an encoding due to L. Fribourg Q. 

The emulation result itself is proved in three steps: first we define an equiv- 
alence relation on transition sequences, which we show to be right compatible 
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and of finite index. This is similar to a region construction, though the equiva- 
lence is rather on pairs of configurations than on configurations. Second, we show 
some commutation properties of equivalent transition sequences: roughly, equiv- 
alent transition sequences can be performed in any order, without affecting the 
reachability relation. The third (and last) step consists in using combinatorial 
arguments on words and proving that there is a fiat automaton whose language 
contains a set of representatives for the congruence generated by the commuta- 
tion properties. (This result can be stated as a formal language property which is 
independent from the rest of the paper) . This provides with a mechanical way to 
choose which transition sequence to commute with another: the representatives 
of the congruence classes are the normal forms w.r.t. a regular string rewriting 
system. 

From this proof, we can also derive some other decidability results. For in- 
stance, we can decide whether a sequence of transitions can be iterated. 

In section^ we recall the basic definitions of timed automata and we intro- 
duce our constraint system. Next, we sketch the proof of the emulation result 
in section 5 and derive in section ^ the definability of the reachability relation. 
In section Q we show some examples of temporal properties which can be ex- 
pressed in the theory of real numbers. In particular we give examples showing 
the expressiveness of the binary reachability relation. We conclude in section J 
Many constructions are only sketched in this abstract paper. More details can 
be found in 

2 Timed Automata 

We start with a classical notion of timed automaton, which includes invariants in 
the states and guarded transitions. The syntax and semantics of timed transition 
systems we use here is not important: we can switch from the following definitions 
to others (such as Q) without changing our main result. The events and the 
accepted language are also irrelevant here, as we are interested in reachability. 

2.1 Syntax and Semantics 

Let i? be a finite set of real numbers (we will assume later that these constants 
are in Z) and C a finite number of variables called clocks. 'P{B, C) is the set of 
conjunction J of atomic formulas of the form x<c, x>c, x<c, x>c, x=c 
where x £ C and c £ B. 

Definition 1 d). A timed automaton is a tuple < B, Q, Qo, C, I, E > where 

— E is a finite alphabet 

— Q is a finite set of states (and Qo ^ Q is a set of start states, irrelevant 
here) 

^ Having arbitrary Boolean combination does not increase the expressive power. We 
choose to consider conjunctions only since they guarantee a convexity property for 
the invariant constraints. 
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— C is a finite set of clocks 

— I is a mapping from Q to C) (the invariant associated with each state). 

— EQQxQxSx2^'x d>{B, C) gives the set of transitions. In each transition 
< 9, 9 ', a, \,4>>, X is a set 0 / clock resets and 4> is a clock constraint. 

1^1 

A configuration of the automaton is a pair ( 5 , V) where q G Q and V G 

is a clock value. There is a move of a timed automaton A from a configuration 

(g, V) to (g', V'), which we write (g, V) (g', V), iff 

A 

— Either q — q' and V \= I {q),V ^ /(g) and there is a positive real number 
t such that, for every component i^ v[ = Vi + t. 

— Or else there is a transition < q, q' , a, Xj a positive real number t 

such that V \= 4> and for every component i, either Vi G X and then v[ = t 
or else Vi ^ X and v'.^ = Vi + t. Moreover, V' \= I{q'). 

is the reflexive transitive closure of — > . We also write — ^ — > C x 
A A 91,92 

the relation on clocks vectors defined by V > V iff(gi,y) A (g 2 ,y')- 

91 ,92 A 

We will always assume without loss of generality that there is a clock r which 
is never reset. 



\ > X 

X — 1 {x,y} 3 > y > 1 




Fig. 1. A timed automaton 

Example 1. An example of a timed automaton is displayed on figure^ As usual, 
invariants are written in the states and enabling conditions label the edges. The 
variables which are reset by a transition are written inside brackets. We assume 
that there are three clocks a;, g, r. 

If we consider for instance transitions c, d only, we can express > using 

91.91 

the formula: 

3Ti,xi,yi,ti,t2- Ti = T + ti A Xi = X + ti A yi = y + ti A Xi < 1 

A 3n.r' = ti + 2n — 1 + t 2 A x' = t 2 A x' < I A i/ = I + t 2 

ti is the time spent before the first transition c is fired and is specified on the first 
line. Ti,xi,yi are the values of the clocks at that date. Then n is the number 
of times the loop cd is executed and t 2 is the time spent in gi after the last 
transition d has been fired. 

This is typically what we will get from our formula computation. 

A flat automaton is a timed automaton which does not contain nested loops: 
for every state g there is at most one non-empty path from g to itself. 

Example 2. The automaton of figure not flat. If we remove any of the four 
transitions, we have a flat automaton. 
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2.2 Emulation 

Definition 2. A timed automaton A! emulates A if there is a mapping (f> from 

the set of states of A1 into the set of states of A such that, for every states 

q,q' of A and every clock vectors V,V , (q,V) — > {q' ,V) iff there are states 

.4 

qi e </>“^(g), q[ G (/'“H?') such that (qi,V) 

A' 




Fig. 2. An emulation automaton 

Example 3. The automaton of figure^ emulates the automaton of figure J The 
states q\ are mapped to qi. It is a fiat automaton. It is not straightforward 
that this automaton indeed emulates the original one. Note for instance that the 
possible event sequences are different as abcdcdabcd is a possible sequence in the 
automaton of figure J and is not a possible sequence in the automaton of figure 
Q However, this sequence yields the same binary relation between configurations 
as the sequence abcdabcdcd which is possible in the automaton of figure^ 

The automaton of figure ^ is typically what we want to compute from the 
automaton of figure J 

Lemma 1. If A' emulates A then — ^ — > = I I — > 

91.92 , ^ 91.92 

Qi & <P (91 ). 92 ^ 4 > (92) 

Hence, as far as is concerned, we may consider any automaton emulating 
A instead of A itself. 



2.3 The Additive Theory of Real Numbers 

The theory T we consider here is defined as follows. Terms are built from vari- 
ables, the constants 0, 1 and the function symbol -I-. Formulas are built using 
first-order quantifiers and the usual logical connectives on atomic formulas which 
are either equations u = v between terms or predicates Int{u) where u is a term. 

The domain of interpretation of such formulas is the set of non-negative real 
numbers, with the usual interpretation of function symbols. Int is the set of 
natural numbers. 

This theory can be encoded in SIS usine (infinite) binary representation of 
real numbers. Hence it is a decidable theoryj 

Example 4- The formula of example Jis a formula of this theory. 

We do not know the complexity of this theory, nor of the fragment of T which is 
used here. 



2 
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3 Every Timed Automaton Can Be Emulated by a Flat 
Timed Automaton 

The automaton of figure | is not fiat because there are two loops ab and cd on 
state qi- If the order of the two loops was irrelevant to the reachability relation, 
we could switch them and assume that all sequences ab are performed before 
sequences cd. Then we would get a fiat automaton, first considering the loop 
ab and then the loop cd. However, in this example, we cannot switch the two 
sequences because, for instance, abed and edab do not induce the same relations 
on the initial values of the clocks. Then, the question is: when can we switch two 
sequences of transitions w and w' without altering the reachability relation? Let 
us look first at some necessary conditions. 

If w and w' do not induce the same relations on initial clock values, then their 
order is relevant since, for instance w may occur after some other transition 
sequence, whereas w' cannot. This is the case in our example: ab and cd do 
not induce the same relations on initial clock values and ab cannot occur after 
another ab, whereas cd can occur after ab. ababed is impossible and abedab is 
possible. Hence a first necessary condition is that w and w' induce the same 
constraints on initial clock values. 

Similarly, w and w' should enable the same transitions: whereas w or w' has 
been executed last should not be relevant for further transitions. This means 
that w and w' should induce the same constraints on final clock values, or at 
least constraints that can be met by the same enabling conditions of further 
transitions. 

There are further necessary conditions for two transition sequences to commute. 



Example 5. For instance consider the automaton displayed on figure ^ On this 




Fig. 3. Another example of non-commuting loops 

example, let w = ab and w' = cde. Executing ww' yields a constraint x' — x > 
t' — T on the final and initial x’s values whereas w'w yields a strictly weaker 
constraint x' — x > t' — t — 2. (To see this, start with r = 1 and a; = 0. w'w 
may yield a configuration in which t' = A and x' = 1, which is not reachable 
using ww'). On the other hand both w and w' induce the same constraints on 
initial clock values and on final clock values. Hence another necessary condition 
for switching w and w' is that they induce the same discrepancy between x — x' 
and T — t' . 
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We will see that, very roughly, these three necessary conditions are also sufficient. 

We are going to define a right compatible equivalence ~ on transition se- 
quences such that, in particular, the above situations cannot occur when w w' . 
~ will be of finite index. Hence we will be able to split the states according to its 
equivalence classes, ensuring that two sequences starting from the initial state 
and which have the same final extended state can be switched, without changing 
the reachability relation. 



3.1 A Right Compatible Equivalence on Transition Sequences 

This is the analog of regions, considering pairs of configurations instead of single 
configurations. Roughly, in the regions construction, two configurations (g, v) 
and {q, v') are considered as equivalent, if they satisfy the same constraints x > 
y+c, X > y+c where x, y are clocks and c is a constant (which is bounded by the 
largest constant of the model). Here, we define a right compatible equivalence on 
pairs of configurations (gi, Ui), {q2, V2) and (qi, u^), (92, v'^). Two such pairs are 
equivalent, roughly, if they satisfy the same constraints x > y' + c,x > x + c. . 
i.e. not only constraints relating clock values at a given time, but also constraints 
relating clock values before and after a sequence of transitions. The situation is 
not as simple as in the region case, however. Indeed, the relevant constants c 
now range over an a priori infinite set. 

Let E be the set of transitions and w,w' be transition words. Let moreover 
(j)w be the formula with free variables X,X' which expresses the relationship 
between clock values before and after w: 

(q,V) ^ {q\V') iff 
A 

Note that this formula is independent of the states q, q' since we gave a different 
name for each transition of A. Hence, given w there is only one starting and one 
target state for w. (Actually, q,q' are implicitly “encoded” into w). 

As we want to commute sequences of transitions of the same class, we will 
need to keep a control property in the equivalence relation. ~o ensures that two 
equivalent words are computations between the same states : w ~o w' the 

source and target states of w, w' are identical. 

The first property we want to keep is the relation between the initial clock 
values: let ~i be defined by (# is either < or <; in the following we will only 
consider < for sake of simplicity): 



w 



w' = Va;, y e X, Vc G R, \= xffy + c iff (fw \= xffy + c 



Example 6. Let us consider again the automaton of figure let S be the 

transition sequence ab and T be the transition sequence cd. Then S 'f'l T. 
However, we have ST" ST”^ and for every n, m, k. 
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The finite index property of will be guaranteed if constants belong to Z 
since, if K is the maximal constant occurring the enabling conditions or invari- 
ants of the automaton: 

Lemma 2. For every w,x,y, min{c gR|(/)u, \= x < y + c} G [—K;K] U 
{-boo, — oo}. 

However, is not right compatible as we may have w w' and, for some 
transition t, w ■ t w' ■ t. That is because the transition t may introduce some 
constraint which is backward propagated to the initial values of the clocks. And 
this propagation does not depend on the initial values of the clocks only. In 
addition to this first difficulty, if we define a similar relation on the final values 
of the clocks: w ~2 w' ‘= <l>w \= x' < i/ + c iff (j)wi \= x' < ]/ + c, we also loose 
the finite index property since the analog of lemma J does not hold for final 
values of the clocks: the minimal difference imposed by a sequence of transitions 
on the final values of the clocks can be arbitrarily large. (Think of a clock which 
is reset at each transition of w and another clock which is never reset). Hence 
we have to define ^2 as an approximation w.r.t the above definition: 

w ~2 w' Vc G [-K; K] U {—00, -boo}, (j)w \= x' <y' + ci?L (f)w' \= x' <y' + c 



Example 1 . In our example, there are only two classes of sequences in {S -b 
T)* w.r.t. ~i: ST{S + T)* and T{S -b T)* . Now, w.r.t. ^2, sequences are also 
distinguished according to their last transition: constraints on final clock values 
depend on whether the last transition is S or T. 

It is out of the scope of this extended abstract to show in details how we 
solve the above mentioned difficulties (see ^3 for more details, in particular all 
definitions and proofs concerning The main idea is to define other relations 

which, altogether, will give a right compatible equivalence of finite index. 
The idea behind ~3 is to restore the compatibility of ~i w.r.t. the right com- 
position. Hence ~3 anticipates possible relations between initial clock values. 
More precisely, assume that w ~i w' . w ■ t may induce a new constraint on the 
initial clock values in the following situation: \= x < y' + ci A z' < u + C2 and 

t \= y ^ Z + C3. Then composing w and t, we get ^ 3?/i, z\.x < yi+c\Azi < 
u + C2 A yi < -b C3, which implies x < u -b ci -b C2 -b C3, possibly a new relation 
between initial clock values. 

Roughly w ^3 w' if the sums ci -b C2 such that we have such relations are the 
same for w and for w' . c\ +C2 may take arbitrary real values. However, we know 
that Cl -b C2 -b C3 G [-K, K], thanks to lemmaj otherwise a; < u -b ci -b C2 -b C3 
would already be a consequence of 4 >w Hence, we only need to consider the sums 
Cl -b C2 which belong to [- 2 K, 2 K], and we keep a finite index relation. 

~4 is more complicated. In the spirit, it is the same as ~3, guaranteeing the 
compatibility of ~2 • Now, one could think that we have to define ^5 , in order 
to guarantee the compatibility of the new relations Fortunately, this is 
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not the case and, altogether, the union of for z = 0, ...,4 is already a right 
compatible equivalence of finite index. 

Still, we have to define more equivalences which take care of e.g. example 
Q ~5 and ~6 express that the discrepancies between constraints on a;' — u and 
y' — z are the same, up to the constant K. Finally ~7 is the symmetric of ~ 3 , 
roughly reversing the ordering on time. This relation is also necessary for the 
commutation property (See Q for more details). 

Then we have the expected results, defining ~ as Ul=o 

Lemma 3. is a right compatible equivalence on E* and E* / ~ can be effec- 
tively computed in time 0{K^ x q^) where n is the number of clocks and q the 
number of states of A. 



Example 8. Continuing exampleH we display on figureOthe automaton for 
u w iS u and v are accepted in the same state of this automaton. Let us 
recall that S = ab and T = cd, hence figure His actually an abstraction of the 
automaton; each transition should be split into two transitions. In addition there 
should be a trash state for every impossible transition sequence. The complete 
automaton contains 16 states. 



T T 




T S 

Fig. 4. 



3.2 Commutation Properties 

The first result is that, if we have equivalent sequences of transitions then we 
can (almost) perform them in any order, without changing the constraint they 
induce on the clocks values: 

Lemma 4. //w ~ w' ~ w" then 4>ww'-w" H 4>w'-ww"- 

This lemma shows that, if we have two sequences of transitions w and w' 
from q to itself and such that w ~ w' , then the iteration of both loops i.e. the 
set of transitions {w-\-w')* has the same effect on clocks values as w*w'*{w-\-e). 
This shows a flattening operation on regular expressions: {w -\- w')* is not flat 
whereas w*w'*{w + e) is flat. 

However, we cannot conclude yet since it is not always possible to compute 
an automaton emulating A and such that any two loops on the same state are 
equivalent for ~. We need a more complex construction which proves that the 
automaton can be flattened when we have such commutation properties. This is 
the subject of the next section. 
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3.3 A Formal Language Property 

In this section, we sketch a formal language property which relates commutation 
properties and flat automata: 

Theorem 1. Let he a congruence of finite index on A* and let ~ be the least 
congruence on A* such that w ^ w' ^ w" implies w ■ w' ■ w" ~ w' ■ w ■ w" . 
Then there is a flat automaton (whose all states are final states) which accepts 
a language containing a set of representatives for 

It is a consequence of the following series of lemmas: 

Lemma 5. Let k be the index of There is a constant n{k) such that any word 
w of length larger than n{k) can he factorised into w = wq ■ w\ ■ W 2 ■ with 

W\ ^ W 2 ^ W 3 . 

This states that any long enough word contains a factor to which the commuta- 
tion property can be applied. Now, consider the following word rewrite system: 

R {uxvyz — > vyuxz \ u >iex v; ux vy ^ z;u,v € A^^} 

This rewrite system compares lexicographically prefixes of length k\ of equivalent 
words and commutes them according to the ordering. 

Lemma 6 . R is a terminating rewrite system. The set of irreducible words 
NF(R) w.r.t R is recognisable. Moreover, ifu — *■ v then u « u. 

Now, we claim that NF{R) is accepted by a flat automaton for some well- 
chosen ki . This relies on the following lemma: 

Lemma 7. Let A be an automaton accepting NF(R). There is a constant k 2 
such that, if w is a transition sequence from a state q to itself, then there is a 
word u whose length is smaller than k 2 and an integer m satisfying w = u"*. 

Using this lemma together with standard combinatorial arguments we get: 

Lemma 8. Let A be an automaton accepting NF(R). There is a constant k 2 
such that, if W\, . . . , Wn are transition sequences, of length greater than k 2 , from 
a state q to itself, then there is a word u whose length is smaller than k 2 and 
integers mi, . . . , m„ satisfying Wi = for all i. 

Finally, thanks to arithmetical properties, we can flatten such automata: 
Lemma 9. -|- . . . -I- u"*")* is accepted by a flat automaton. 

Which, altogether, allows to prove theorem J 

Example 9. Let us continue our running example. If we apply the algorithm 
sketched in this section and if we let a = ST{= abed) and fl = T{= cd), then 
the rewrite system is 

R= {aflxaaya — > aayaflxa] flflxflayfl — > flayflflxfl \x,yG (a + /3)*} 

and the flat automaton (or rather its abstraction using the letters a, (3 instead 
of a, h, c, d: the whole flat automaton for NF{R) would contain 76 states) is 
displayed on figure H All states are final. 
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0 0 0 

Fig. 5. The resulting flat automaton 

3.4 The Main Theorem 

Summing up what we have so far, thanks to lemma Hand theorem H we can 
compute a flat automaton A\ which accepts at least one sequence of transi- 
tions for each equivalence class of We may moreover restrict the transition 
sequences accepted by A\ to transition sequences which are possible in the orig- 
inal automaton A, thanks to a closure property for flat automata: 

Lemma 10. Let A be any finite automaton and Ai be a flat automaton. Then 
there is a flat automaton Al whieh aecepts L{A) H L(Ai). 

Moreover, there are two mappings fi , /2 from states of A! into respeetively 
the states of A and the states of Ai such that, for every w and every states 

q ^ q'\ ^ 

q,q',qi,q'i, ) <^^q2,q'2- { = g, /2(g2) = gi 

'J [fi{q'2) = q',h{q'2)=q[ 

The proof of this lemma is similar to that of lemmaH we construct A! from 
the product automaton A x A\, then all loops on a state are power of a same 
word, thanks to the flatness of A\. Now, we are able to prove our main theorem: 

Theorem 2. Every timed automaton can be emulated by a flat timed automa- 
ton. 



Proof. Let A be any timed automaton and let Ai be a flat automaton which 
accepts at least one transition sequence for each class modulo Such an automa- 
ton does exist thanks to lemmasHHand theoremH(i(; « w' implies (f>ui H 
as « is the least congruence relation which satisfies the commutation properties 
of lemmaH- A can also be seen as a finite automaton on transition sequences 
and we construct A! as in lemma^J A' can be seen as a timed automaton. 

Now A' emulates A: let /i, /2 be as in lemma^J Then if (g, V) (g', V'), 

A 

let w' « w. (q,V) {q',V'), thanks to lemmaH In particular if w' is the 

representative of the class of w w.r.t. « which is accepted by Ai in state q[, 
then gi q[ where gi is the initial state of Ai . It follows, by lemma^J that 

■Al 

there are states g2,g2 of A' such that g2 q'2. Then {q2,V) (g 2 j^ 0 - 

A' A' 

Conversely, if (g2,V) ^ (g2,'^'). then (/i(g2),V) (/i(g2), Then it 

A' A 

suffices to choose fi for the emulation function (j> of definition H 
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Example 1 0. Considering the automaton of figure J our automatic construction 
will not yield the automaton of figure H (unfortunately). We actually obtain an 
automaton which is isomorphic to the automaton of figure ^ 



4 Expressibility of the Reachability Relation 



We use here a transformation of timed automata into automata with counters 
and use a result on fiat automata with counters. 



Definition 3 (|9)- An automaton with (real valued) counters is a tuple 
(Q, C Q X G{C, C) X Q) where 

— Q is a finite set of states and qi G Q is an initial state 

— C is a finite set of counter names; C' is the set of primed counter names. 

— G(C, C) is the set of guards built on the alphabets C, C . A member of 
G(G, C') is a conjunction of atomic formulas of one of the forms xjfy + c, 
xfj^c where a;, y € G U C , fj=- € {>, <, =, >, <} and c G M. 



The automaton may move from a configuration (y, v) to a configuration 
{q',v'), which we write {q,v) — > {q',v') if there is a triple {q,g,q') G <5 such 

that v,v' \= g, with the standard interpretation of relational symbols. 



Example 11. Consider the automaton of figure 

x' > X — 1 




y <x' + Z 
y' < y + 2 



Fig. 6. A fiat counter automaton 

Possible moves are for instance: (y, ^J^) — > {q, or {q, ( 3 ))- 

Following timed automata can be seen as a particular class of automata with 
counters: we add a clock r which is never reset and never used in the constraints 
(it measures the total elapsed time) and we use the variable transformation 
X 1 -^ T — X. This yields a transformation on clocks valuations from V to Vc. 
Then, if < q,q' >G E, we translate it into a transition 5 =< q,q',g > 
where g is the translation of (f) together with the constraints d = t for each c G A 
and d = c for each c ^ A, plus the constraints on time positiveness: d > t and 
c < T for every c. In this way each timed automaton A can be translated into 
an automaton with counters Ac' 

Theorem 3 (|3)- E) (q', V) iff there is a vector such that 3t > 0, 
^ W. Vf) and h m, V h /(?), V^ = V + tl. 

In other words, if we start a computation of A by firing a transition, then ^ 

A 

is identical to — *■ , modulo the variable change. 

Ac 

On the other hand, we have the following result on fiat automata: 
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Theorem 4 ( | ■ ■ | ). For every flat real (resp. integer) counter automata, the 

relations — ^ are effectively definable in T (resp. Presburger arithmetic). 

9.9' 

Now, from theorem J every timed automaton A can be emulated by a flat 
timed automaton A! and, by lemma^ the reachability relations in A can be 
expressed as finite unions of the reachability relations of A' . By theorem ^ the 
reachability relations of the flat automaton A' are expressible in the additive 
theory of real numbers. Hence it follows that: 



Theorem 5. For every timed automata, the binary reachability relations 
are effectively definable in the additive theory of real numbers. 



* 

> 



Q:Q' 



5 Examples of Properties which Can Be Decided on 
Timed Antomata 

Using the reachability relation, it is possible to express that some “good” (resp. 
“bad”) thing may (resp. may not) happen. This is typical for safety properties. 
However it is not (at least in an obvious way) possible to express that some- 
thing must happen. Typically, we cannot express inevitability. Hence, only a 
fragment of timed temporal logics can be expressed in the first-order theory of 
the reachability relation. However, our formalism offers other possibilities. 

Example 12. On the simple automaton of figure^ using the binary reachability 
relation, we can check properties of configurations, that are not properties of 
regions. This points out a difference in nature between our result and 

Consider the automaton of figure contains only one clock x, and no 
constant. Assume that we are interested in the following property: “ After firing 
a in configuration c, what is the minimal delay spent before reaching c again ?” 
For example, from state with a; = 0 we can Are a and then b without waiting 
in qi, then we are again in qo with a; = 0. In this case the minimal delay is 0. 

If the initial value Xq of a; is a parameter, then the minimal delay d is a 
function of Xq. In our example, we have d{xo) = Xq. This result can be obtained 
using the binary reachability relation, since the set of possible delays is T>{xo) = 

{t' — T I (qo,Xo,T) (goi tOI ^'^d d{xo) is such that d{xo) G T>{xq) and 
yd' G V{xo),d{xo) < d' . 




{x} 

Fig. 7. A very simple timed automaton 

Such a minimal delay property cannot be obtained using classical methods 
since, usually, the computed delays cannot depend on the initial configuration. 
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For instance, for the automaton of figure^ there are two clock regions (depend- 
ing on a; = 0 or not). The minimal delay between two configurations of the region 
automaton is always 0. 

More generally, it is possible to express sets of configurations which are not 
necessary unions of regions; any first-order definable set of clock values can be 
used in the logic. For instance we could express “each time the clock x is the 
double of clock y, we can reach a state in which y is a third of z, within a delay 
which is the half of x" : 

VX, 3X', (a; = 2y) ^ {X ^ X' \ z! = 3y' A 2(r' - r) = a;) 

Not only such sets of configurations are expressible, but also relations between 
configurations. For instance we can express that “each time we are in state q, we 
can reach a configuration in which the clock x has doubled” . This corresponds 
to a relation x' = 2x. 

Using free variables, it is also possible to define values of clocks (or delays). 
For instance, the minimal delay between configurations ci , C 2 can be defined by: 

((i(a;) =^3r, (ci,r) ^ (c 2 , r 3- a;) A Vy < a;, Vr, ^(ci, r) A (^c 2 ,t + x) 

A A 

and hence can be computed or used in further verifications. 

We can take advantage of the binary relation: it is as easy to express prop- 
erties about the past as about the future. For instance: “each time we reach a 
state q, then the clock x was never larger than y + z va. the past” . 

We conclude this section with an example which looks more relevant: assume 
we have a server which receives requests from several users. Assume that the 
server receives requests from two users at time t and t + e and that these requests 
are granted at time t + 6i and t + 62- We may want to check that the server is 
“fair” and that the delay 62 is always smaller than 2 x 61 + e, for instance. This 
is again a typical property which can be expressed and checked in our theory. 

6 Conclusion and Perspectives 

We have shown that, for timed automata, the binary reachability relation is de- 
finable in a decidable theory. The formula which results from our computation 
may be, in principle, quite huge since for instance the number of equivalence 
classes for ~ is exponential. Hence our result is, so far, more of theoretical 
nature. One possible future research direction is then to have more precise infor- 
mations on the complexity of the method (both theoretically and practically). 
However, beyond an hypothetical practical verification technique for timed au- 
tomata, we believe that our result shows another possible direction of research. 
It may suggest other (more tractable) real-time computation models, starting 
from the logical side (the theory of real numbers). For instance, we could start 
from flat timed automata (without loosing expressiveness in the clock valuations 
sense). It also separates the expressiveness of the properties to be checked (in 
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which it is possible to express much more relationships between clocks) from the 
expressiveness of the model. There are also several side effects of our proof. For 
instance we can decide whether or not a loop (or several loops) can be iterated. 

The ability to express the reachability relation as a constraint between initial 
and final clock values allows to replace a whole automaton (or a piece of it 
corresponding to a timed automaton) with a single meta-transition hence 
faithfully abstracting complex models. This can be used in verifying complex 
systems. 

Conversely, we can mechanically check properties of models which are more 
expressive than timed automata. 

Example 13. We consider two timed automata which are connected by a single 
transition whose enabling condition is an arbitrary first-order formula if) over 
clock values (see figure^ . Properties of such a network can be verified as easily 
(or as hardly) as properties of a single timed automaton: it suffices to com- 
pute the binary reachability relation for each individual automaton and then to 
connect the two formulas with the enabling condition ip. 




Fig. 8. An extended timed automaton 

This can be extended of course to any network of timed automata, provided 
that there is no cycle through such general transitions. 

Adding a stop watch to the model yields undecidability of the reachability 
However, as shown in Q, this does not imply that we cannot check prop- 
erties involving accumulated delays. It is not possible, at least in an obvious 
way, to express accumulated delay constraints using the first-order theory of the 
reachability relation. We believe that it is still worth to study more deeply what 
can (and what cannot) be automatically checked using a similar approach. 

Another interesting possible investigation consists in considering parametrised 
timed automata, as in Though the authors show that emptiness of such au- 
tomata is undecidable as soon as there are at least three clocks, our method 
seems to be well-suited for parametric reasoning and, for instance, we may de- 
rive conditions on the control instead of on the number of clocks, which yield 
decision techniques for such parametrised automata. 

Finally, our method seems to be well-suited for models which combine timed 
automata with additional global variables: assume we add registers to the model, 
with simple operations on them such as in definition Q then, for flat timed 
automata with counters, we expect to get again a decision procedure. 
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Abstract. Partial Labeled Markov Chains (plMc) generalize process algebra 
and traditional Markov chains. They provide a foundation for interacting discrete 
probabilistic systems. Existing notions of process equivalence are too sensitive 
to the exact probabilities of transitions in plMcs. This paper studies more robust 
notions of “approximate” equivalence between plMcs . 



1 Introduction 

Probability, like nondeterminism, is an abstraction mechanism used to hide inessential 
or unknown details. Statistical mechanics — originated by Boltzmann, Gibbs, Maxwell 
and others — is the fundamental successful example of the use of the probabilistic ab- 
straction. Our investigations are concerned with the development of contextual reason- 
ing principles for concurrent interacting probabilistic systems. Consider the following 
paradigmatic examples. 

Example 1. analyzes a component (say c) of the Lucent Technologies’ 5ESS ® 
telephone switching system that is responsible for detecting malfunctions on the hard- 
ware connections between switches. This component responds to alarms generated hy 
another complicated system that is only available as a black-box. A natural model to 
consider for the black-hox is a stochastic one, representing the timing and duration of 
the alarm by random variables with a given prohahility distribution. Q shows that 
the desired properties hold with high probability, showing that the component being 
analyzed approximates the idealized behavior (say i) with sufficient accuracy. 



Example 2. Consider model-based diagnosis settings. Often information about failure 
models and their associated probabilities is obtained from field studies and studies of 
manufacturing practices. Failure models can be incorporated by assigning a variable, 
called the mode of the component, to represent the physical state of the component, and 
associating a failure model with each value of the mode variable. Probabilistic infor- 
mation can be incorporated by letting the mode vary according to the given probability 
distribution The diagnostic engine computes the most probable diagnostic hypoth- 
esis, given observations about the current state of the system. 

* Caelum Research Corporation 
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These examples illustrate the modes of contextual reasoning that interest us. In the 
first example, we are interested in exploring whether c can substitute for i in arbitrary 
program contexts; i.e. for some context C[], does C[c] continue to approximate C[i]. 
Similarly, in the second example, we are looking to see the extent to which systems 
with similar failure behaviors are intersubstitutable. Such a question perforce general- 
izes the study of congruences elaborated by the theory of concurrency. The theory of 
concurrency performs a study of “exactly intersubstitutable” processes with temporal 
behavior. In the probabilistic context, the extant notions of bisimulation (or any process 
equivalence for that matter) are too sensitive to the probabilities; a slight perturbation 
of the probabilities would make two systems non-bisimilar. The examples motivate a 
shift to the study of the more robust notion of “approximately intersubstitutable”. 

The next example illustrates a deeper interaction of the temporal and probabilistic 
behavior of processes. 

Example 3. Consider a producer and a consumer process connected by a buffer, where 
the producer is say a model of a network. Examples of this kind are studied extensively 
in the performance modeling of systems. In a model of such a system, probability serves 
to abstract the details of the producer (resp. consumer) process by considering rates of 
production (resp. consumption) of data based on empirical information. This model can 
be analyzed to calculate the number of packets lost as a function of the probabilities 
and the buffer size. The analysis aids in tuning system parameters, e.g. to optimize the 
buffer size. These studies are often couched in terms of asymptotic/stationary behavior 
to abstract over the transient behavior associated with system initialization (such as 
large bursts of communication) evident when the system begins execution. 

Such examples motivate the study of equality notions based on “eventually approxi- 
mately intersubstitutable” processes. 

1.1 Our Results 

Partial labeled Markov chains (plMcs) are the discrete probabilistic analogs of labeled 
transition systems. In this model “internal choice” is modeled probabilistically and the 
so-called “external choice” is modeled by the indeterminate actions of the environment. 
The starting point of our investigation is the study of strong bisimulation for plMcs. 
This study was initiated by for plMcs in a style similar to the queuing theory 
notion of “lumpability”. This theory has been extended to continuous state spaces and 
continuous distributions | ~ ■ ■ | . These papers provided a characterization of bisimula- 
tion using a negation-free logic C. 

In the context of the earlier discussion, we note that probabilistic bisimulation is too 
“exact” for our purposes — intuitively, two states are bisimilar only if the probabilities 
of outgoing transitions match exactly, motivating the search for a relaxation of the no- 
tion of equivalence of probabilistic processes. Jou and Smolka note that the idea 
of saying that processes that are close should have probabilities that are close does not 
yield a transitive relation, as illustrated by an example of van Breugel Q. This leads 
them to propose that the correct formulation of the “nearness” notion is via a metric. 

A metric c? is a function that yields a real number distance for each pair of processes. 
It should satisfy the usual metric conditions: d{P, Q) — Q implies P is bisimilar to Q, 
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d{P, Q) = d{Q, P) and d{P, R) < d{P, Q) + d{Q, R). Inspired by the Hutchinson 
metric on probability measures , we demand that d be “Lipschitz” with respect to 
probability numbers, an idea best conveyed via a concrete example. 

Example 4. Consider the family of plMcs {P^ | 0 < e < r} where P^ = Ur-e-Q, 
i.e. Pj is the plMc that does an a with probability r — e and then behaves like Q. We 
demand that: d{P^^, P^^) < |ei — e 2 |. This implies that P^ converges to Pq as e tends 
to 0. 

Metrics on plMcj. Our technical development of these intuitions is based on the key 
idea expounded by Kozen ^3 to generalize logic to handle probabilistic phenomena. 



Classical logic 


Generalization 


Truth values {0, 1} 
Propositional function 
State 

Evaluation of prop, functions 


Interval [0, 1] 
Measurable function 
Measure 
Integration 



Following these intuitions, we consider a class T of functions that assign a value in the 
interval [0, 1] to states of a plMc. These functions are inspired by the formulas of £ — 
the result of evaluating these functions at a state corresponds to a quantitative measure 
of the extent to which the state satisfies a formula of £. The identification of this class 
of functions is a key contribution of this paper, and motivates a metric d: 

d{P,Q) = sup{|/(sp) - /(sq)| I / G 

In section^ we formalize the above intuitions to define a family of metrics | 
c G (0, 1]}. These metrics support the spectrum of possibilities of relative weighting of 
the two factors that contribute to the distance between processes: the complexity of the 
functions distinguishing them versus the amount by which each function distinguishes 
them, d^ captures only the differences in the probability numbers; probability differ- 
ences at the first transition are treated on par with probability differences that arise very 
deep in the evolution of the process. In contrast, d‘^ for c < 1 give more weight to the 
probability differences that arise earlier in the evolution of the process, i.e. differences 
identified by simpler functions. As c approaches 0, the future gets discounted more. 

As is usual with metrics, the actual numerical values of the metric are less important 
than properties like the significance of zero distance, relative distance of processes, 
contractivity and the notion of convergence. 

Example 5. Consider the plMc P with two states, and a transition going from the start 
state to the other state with probability p. Let Qhea similar process, with the probability 
q. Then in section^ we show that d°(P, Q) — c|p — q\. Now if we consider P' with 
a new start state, which makes a b transition to P with probability 1, and similarly Q' 
whose start state transitions to Q on 6 with probability 1, then d‘^{P', Q') = c^\p — q\, 
showing that the next step is discounted by c. 

Each of these metrics agree with bisimulation: 

d'^{P, Q) = 0, iff P and Q are bisimilar. 

For c < 1, we show how to compute d°(P, Q) to within e. 
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An “asymptotic” metric on plMcj. The df metric (for c < 1) is heavily influenced by 
the initial transitions of a process — processes which can be differentiated early are far 
apart. For each c G (0, 1], we define a dual metric (Sectioifl on plMcs to capture 
the idea that processes are close if they have the same behavior “eventually”, thus disre- 
garding their initial behavior. Informally, we proceed as follows. Let P after s stand for 
the plMc P after exhibiting a trace s. Then, the j’th distance between P, Q after ex- 
hibiting traces of length is given by sup{d‘^(P after s, Q after s) | length{s) = j}. 
The asymptotic distance between P, Q is given by the appropriate limit of the d^’s: 

d%o{PiQ) = limsup d'^j{P,Q). 

i — >oo j>i 

A process algebra of probabilistically determinate processes. In order to illustrate the 
properties of the metrics via concrete examples, we use an algebra of probabilistically 
determinate processes and a (bounded) buffer example coded in the algebra (Section^. 
This process algebra has input and output prefixing, parallel composition and a proba- 
bilistic choice combinator. We do not consider hiding since this paper focuses on strong 
(as opposed to weak) probabilistic bisimulation. 

We show that bisimulation is a congruence for all these operations. Furthermore, we 
generalize the result that bisimulation is a congruence, by showing that process combi- 
nators do not increase distance in any of the d'^ metrics. Formally, let d^{Pi, Qi) = e^. 
For every n-ary process combinator C[Xi, . . . , X„], we have 

d^(c(Pi,... ,g„)) <^e,. 

i 

Preflxing and parallel composition combinators do not increase d^. However, the prob- 
abilistic choice combinator is not contractive for d^. 

Continuous systems. While this paper focuses on systems with a countable number 
of states, all the results extend to systems with continuous state spaces. The techni- 
cal development of continuous systems requires measure theory apparatus and will be 
reported in a separate paper. 



Related and future work. In this paper, we deal with probabilistic nondeterminism. In 
a probabilistic analysis, quantitative information is recorded and used in the reasoning. 
In contrast, a purely qualitative nondeterministic analysis does not require and does not 
yield quantitative information. In particular when one has no quantitative information 
at all, one has to work with indeterminacy — using a uniform probability distribution 
is not the same as expressing complete ignorance about the possible outcomes. 

The study of the interaction of probability and nondeterminism, largely in the con- 
text of exact equivalence of probabilistic processes, has been explored extensively in 
the context of different models of concurrency. Probabilistic process algebras add a no- 
tion of randomness to the process algebra model and have been studied extensively in 
the traditional framework of (different) semantic theories of (different) process alge- 
bras (to name but a few, see e.g. bisimulation, theories of (prob- 

abilistic) testing, relationship with (probabilistic) modal logics etc. Probabilistic Petri 
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nets add Markov chains to the underlying Petri net model. This area has a well 

developed suite of algorithms for performance evaluation. Probabilistic studies have 
also been carried out in the context of 10 Automata 



In contrast to the above body of research the primary theme of this paper is the the 
study of intersubstitutivity of (eventually) (approximately) equivalent processes. The 
ideas of approximate substitutivity in this paper are inspired by the work of Jou and 
Smoka referred to earlier and the ideas in the area of performance modeling as 
exemplified in on the work on process algebras for compositional performance mod- 
eling (see for example ^]). The extension of the methods of this paper to systems 
which have both probability and traditional nondeterminism remains open and will be 
the object of future study. 

The verification community has been active in developing model checking tools for 
probabilistic systems, for example 



|. Approximati on te chniques in the spirit 
of those of this paper have been explored for hybrid systems In future work, we 
will explore efficient algorithms and complexity results for our metrics. 

Our work on the asymptotic metric is closely related to, at least in spirit, the work of 
Lincoln, Mitchell, Mitchell and Scedrov in the context of security protocols. Both 
^3 and this paper consider the asymptotic behavior of a single process, rather than the 
limiting behavior of a probabilistically described family of processes as is performed in 
some analysis performed in Markov theory. 



Organization of this paper The rest of this paper is organized as follows. First, in sec- 
tionH we review the notions of plMc and probabilistic bisimulation and associated 
results to make the paper self-contained. We next present (section^ an alternate way 
to study processes using real-valued functions and show that this view presents an al- 
ternate characterization of probabilistic bisimulation. In section^ we define a family 
of metrics, illustrate with various examples and describe a decision procedure to evalu- 
ate the metric. The following sectionHdescribes a process algebra of probabilistically 
determinate processes. We conclude with a sectiorflon the asymptotic metric. 



2 Background 



This section on background briefly recalls definitions from previous work on partial 
labeled Markov processes [ 



E3| and sets up the basic notations and framework for 



the rest of the paper. 



Definition 1. A partial labeled Markov chain (plMc) with a label set L is a structure 
{S,{ki I I G T}, s), where S is a countable set of states, s is the start state, and 
V/ G L.ki : S X S — >[0,1] is a transition function such that\/s G S. fc/(s, t) < 1. 

A plMc is finite if S is finite. There is no finite branching restriction on a plMc; fc/(s, t) 
can be non-zero for countably many t’s. ki is extended to a function S xV{S) — > [0,1] 
by defining: fc/(s, A) = f)- Given a plMc P = {S,{ki \ I G T},s), 

we shall refer to its state set, transition probability and initial state as Sp, kf and sp 
respectively, when necessary. We will assume a fixed finite set of labels L, and that ki 
is a rational function, this does not restrict the theory. 
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We could have alternatively presented a plMc as a structure {S, {fc/ | I G L}, /i) 
where ^ is an initial distribution on S. Given aplMc with initial distribution P, one can 
construct an equivalent plMc with initial state Q as follows. Sq = Sp U {u} where u 
is a new state not in Sp. u will be the start state of Q. kf (s, t) = kf (s, t) if s,t G Sp', 
k'^{s,u) = 0, and kf(u,t) = kf {s , t) (s) . We will freely move between the 

notions of initial state and initial distribution. For example, when a transition on label 
I occurs in a plMc P, there is a new initial distribution given by n'{t) = ^ fc/(s, t) x 
^(s). 

We recall the definition of bisimulation on plMc from 

Definition 2. An equivalence relation, R, on the set of states of a plMc P is a bisim- 
ulation if 'whenever two states Si and S 2 are R-related, then for any label I and any 
R-equivalence class of states T, kfsi, T) = fc/(s 2 , T). 

Two plMcj P, Q are bisimilar if there is a bisimulation R on the disjoint union of 
P, Q such that sp R sq. 

In I t > I it is shown that bisimulation can be characterized using a negation free logic 
C'. A 4>2\{o)q4>, where a is an label from the set of labels L and q G [0, 1) is a 
rational number. Given a plMc P = (5, S, ka, s) we write t \=p (j> to mean that the 
state t satisfies the formula f. The definition of the relation \= is given by induction on 
formulas. 



t \=p T 

t \=P 4>1 A (j)2^ t \=P fi, t \=P (j)2 

t \=p {a)q(f) 3A CZ S.(yf G A.t' \=p f) A {q < ka(t, A)). 

In words, t \=p {ajqf if the system P in state t can make an a-move to a set of 
states that satisfy f with probability strictly greater than q. We write |</']p for the set 
{s G ^pIs \= (f)}. We often omit the P subscript when no confusion can arise. The 
result of that is relevant to the current paper is that two plMcs are bisimilar if and 
only if their start states satisfy the same formulas. 

Definition 3. P is a rah-plMc ofQ if Sp C Sq and (f/l) [kf (s, f) < kf (s, t)] 

Thus, a sub plMc of a plMc has fewer states and lower probabilities. The logic C, 
since it does not have negation, satisfies a basic monotonicity property with respect to 
substructures: If P is a sub-plMc of Q, then (Vs G Sp) [s \=p f => s ^q, f]. Every 
formula satisfied in a state of a plMc is witnessed by a finite sub-plMc. 

Lemma 1. Let P be a plMc, s G Sp, such that s ^p f. Then there exists a finite 
suh-plMc of P, Q^, such that s G Sq, and s \=q f. 

3 An Alternate Characterization of Probabilistic Bisimulation 

In this section, following Kozen we present an alternate characterization of proba- 
bilistic bisimulation using functions into the reals instead of the logic C. We define a set 
of functions which are sufficient to characterize bisimulation. It is worth clarifying our 
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terminology here. We define a set of functional expressions by giving an explicit syntax. 
A functional expression becomes a function when we interpret it in a system. Thus we 
may loosely say “the same function” when we move from one system to another. What 
we really mean is the “same functional expression”; obviously it cannot be the same 
function when the domains are different. This is no different from having syntactically 
defined formulas of some logic which become boolean- valued functions when they are 
interpreted on a structure. 

We now give the class of functional expressions. First, some notation. Let [r\q = 
r — q if r > q, and 0 otherwise, = g if r > q, and r otherwise. Note that 

[r\q -I- |'r]'3 = r. 

For each c G (0, 1], we consider a family of functional expressions generated by 
the following grammar. Flere g is a rational in [0,1]. 

/° :;=As.l Constant schema 

I As.l — /'^(s) Negation schema 

I As. min(/f (s), /|(s)) Min schema 
I As.sup.gp^{/f(s)} Sup schema 
I As.c /jgg Ta(s, t)/°(f) Prefix schema 

I As.[/“(s)J, 

I As.[/°(s)]'^ Conditional schemas 

Tf is the sub-collection of that does not use the negation schema. 

The functional expressions generated by these schemas will be written as 1, 1 — /, 
min(/i, / 2 ), supj f, {a).f, [f\q and [/]^ respectively. We will use {a)'^.f to represent 

n 

One can informally associate functional expressions with every connective of the 
logic C in the following way. T is represented by As.l and conjunction by min. The con- 
tents of the connective {a)q is split up into two expression schemas: the (a)./ schema 
that intuitively corresponds to prefixing and the conditional schema [/J q that captures 
the “greater than q” idea. 

Lemma 2. The functions 1,1 — f,Toin{fi, f^), lf\q, \ fi^‘‘ can be used to approximate 
any continuous Lipschitz function from [0, 1] to [0, 1]. 

This shows that we can replace the constant schema, negation schema and condi- 
tional schemas with one schema: As.p(/(s)), where g is any continuous Lipschitz func- 
tion. To get positive functions we can restrict g to monotone continuous Lipschitz 
functions. 

Example 6. Consider the plMcs A\ and A 2 of figure^ All transitions are labeled a. 
The functional expression ((a).l)° evaluates to c at states sq, S 2 of both Ai and A 2 ; it 
evaluates to 0 at states si, S 3 of Ai and S 3 , S 4 of A 2 , and it evaluates to c /2 at state si 
of A 2 . The functional expression ((a).(a).l)° evaluates to 3c^/4 at states sq of A\, A 2 
and to 0 elsewhere. The functional expression ((a). [(a).lj 1 )° evaluates to 3c^/8 at 
state So of Al and to c^/4 at state sq of A 2 . 
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Fig. 1. Examples of plMcs 



Example 7. Consider the plMc of figure^ All transitions are labeled a. A func- 
tional expression of the form ((a) (a) .1)'^ evaluates to c" at state sq. On state sq 

n 

of plMc A 4 the same functional expression evaluates to (c x 0.4)”. 

A routine induction on the structure of the functional expression /° G shows: 
Lemma 3. IfP is a sub-plMc ofQ, then (V/ G (Vs G Sp) [fp{s) < /q(s)]. 
For any state in a finite plMc that satisfies a formula, there is a partial witness from 

'TTC 

Lemma 4. Given any (j) G C and a finite plMc P, and any c G (0, 1], there is a 
functional expression /° G .F"^ such that 

1. Vs G Sp.ff,{s) > 0 iffs \=p (j). 

2. /or any plMc Q, Vs G Sq.s <p ^ /q(s) = 0. 

Proof. The proof is by induction on the structure of fi. The key case is / = {a)q.tlj, 
let be the functional expression corresponding to ijj yielded by induction. Let 5^ be 
the set of states in P satisfying ip, and let x = min{p(s) | s G 5^}. By induction 
hypothesis, a; > 0. Consider the functional expression /° given by Y{a) .\g\^ \cxq- For 
all t G |'0], (r5l^)(^) = Now for any state s G Sp, 

((a)-r5r)''(s) = ex ^ ka(s,t) = cxka{s,lipj). 

Now for each state sG |/|, fca(s, |r/>J) > q. Thus /° satishes the hrst condition. 

The second condition holds because for any s G sq, ((a). [p]^)(s) < cxka{s, |'0Jq), 
so if fca(s, |V>]q) < g then ([(a). [ 5 ] J exq') (.s') — 0 . 

Lemma ^permits us to show that Pf is complete for reasoning about logical satis- 
fiability. In fact, logical satishability is sound for reasoning about all functions in iF'^. 
Thus, we get: 

Theorem 1. For onyplMc P, (Vc G (0, 1]), Vs, s' G Sp 

[(V/ £ C) s \=p s' \=p fi] (V/ G P") [fp(s) = fp(s')]. 
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Examples. Consider the plMcs A\,A 2 of figure J The calculations of example | 
show that the sq states of Ai, A 2 are distinguishable. Furthermore, the states are indis- 
tinguishable if we use only the function schemas Constant, Min and Prefixing. Thus, 
examplejshows that the conditional functional expressions are necessary. 

4 A Metric on Processes 

Each collection of functional expression be the set of all such expressions induces a 
distance function as follows: 

(f{P,Q) = sup |/p(sp) - /q(sq)|. 



Theorem 2. For all c G (0, 1], is a metric. 

Proof. The transitivity and symmetry of (F is immediate. d°(P, Q) = 0 iff P and Q are 
bisimilar follows from theorem^ 



Example 9. The analysis of exampleHyields dP{Ai^ A 2 ) = c^/8. 



Example 10. Example^shows the fundamental difference between the metrics dfc< 
1 and d}, explaining why we can get an algorithm for c < 1. Eor c < 1, d^{A^, A4) 
is witnessed by some ((a)"'.l)° and is given by d‘^{As, A4) = c"(l — (0.4)") for that 
n. In contrast, A4) = sup{l — (0.4)" | n = 0, 1, . . . } = 1; no finitary function 

witnesses this. 



Example 11. (Analysis of ExampleJ Consider the family of plMcs | 0 < e < r} 
where P^ = Or-e-Q, i-e. Pe is the plMc that does an a with probability r — e and 
then behaves like Q. The function expression ((a).l)° evaluates to (r — e)c at P^. This 
functional expression witnesses the distance between any two P’s (other functions will 
give smaller distances). Thus, we get d{P^^ , P^^ ) = c| ei — € 2 1 . This furthermore ensures 
that Pj converges to Pq as e tends to 0. 



Example 12. (from | ' ' | ) Consider the plMcs A5 and Aq of figure J Aq is just like 
A5 except that there is an additional transition to a state which then has an a-labeled 
transition back to itself. The probability numbers are as shown. If both plMcs have 
the same values on all functional expressions we will show that q^o = 0, i.e. it really 
cannot be present. The functional expression ((a).l)° yields c{J2i>oPi) ^5 
c((?oo + X)i>o 9®) ^6- The functional expression ((a).(a).l)° yields 

A5 and (?{qoo + Si>2 9*) ^6- Thus, we deduce thatpo = 9o- Similarly, considering 

functional expressions ((a).(a).(a).l)° etc, we deduce thatp„ = g„. Thus, q^o = 0. 
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A decision procedure for c?°, c < 1. Given finite plMcs P, Q, we now provide a deci- 
sion procedure for computing Q) for c < 1 to any desired accuracy c", where n 
is a natural number. We do this by computing sup l/'^(sp) — /'^(sq)| for a finite set of 
functions F, and then show that for this F, d‘^{P, Q) — sup^^ |/'^(sp) — /°(sq)| < c". 

Define the depth of a finitary functional expression (i.e. without sup) inductively 
as follows: depf/i( As. 1) = 0, depfh(min(/f , /|)) = max{depth{fi) , depth{ff)) 
and depth{l — /) = depth{ff‘^\q) = depth {\ = depth{f‘^), depth{{a) . = 

depth{f‘^) + 1. Then it is clear that |/'^(sp) — /'^(sq)| < ^ Now if we include 

in F all functions of depth < n, then Q) — supp |/'^(sp) — /'^(sq)| < c". 

However there are inhnitely many functional expressions of depth < n. We now 
construct a finite subset of these, such that the above inequality still holds. Let A® = 
{ 3 m+i+n-. I fc = 0, . . where 1/3"* < c". We construct the set of func- 

tions inductively as follows. We use F to stand for FU{1 — / | f G F}. Let F* be the 
set of all functions of depth < i. Define: 

= {(g)./ I /ef*} Ft^ = IL/J, |/eF/+\g€Al*+i} 

= {[/IM / e Ft\q G F/+1 = {[/I? I / e Ft\q G A*+l} 

F/+1 = {min(/i, ...,/„) I /, e Fl+^ U F*} F*+^ = {max(/i,... ./„) | f G F/+i} 

We can prove that for any /** G F** of depth < n, there is a function in F" that 
approximates it closely enough. 

Lemma 5. Let /° G F° and e > 0. Then 3g'^ G F* such that: (VplMc P) (Vs G 
Sp) [|r(s) -5/(s)| < e]. 

The proof relies on the following identities that show that repeating steps 2-5 on F*+^ 
does not get any new functions. 

[[fU\r=[fU+r 

[min(/i,/ 2 )Jr =min([/ijr, [/ 2 JO |■min(/l, / 2 ) 1 *' = min([/i]’', |'/ 2 l’') 

1 - (1 - /) = / 

1 - max(/i, / 2 ) = min(l - /i, 1 - / 2 ) 1 - min(/i, / 2 ) = max(l - /i, 1 - / 2 ) 

[1 - [f\,\r = TLi - [1 - IfYV = 1 - [1 - [1 - fVr 

[1 - \fV\r = [1 - f\r,iiq+r >1 [1 - \fV\r = rU - /Jrl if 9+-<l 

min(max(/i, / 2 ),max(/ 3 , / 4 )) = max(min(/i, /a), min(/i, / 4 ), ...) 

5 Examples of Metric Reasoning Principles 

In this section, we use a process algebra and an example coded in the process alge- 
bra to illustrate the type of reasoning provided by our study. We also show that small 
perturbations of a process results in a nearby process. 

5.1 A Process Algebra 

The process algebra describes probabilistically determinate processes. The processes 
are input-enabled in ^ weak sense ((Vs G Sp) (Va G L) ka?{s,Sp) > 0) and 
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communication is via CSP style broadcast. The process combinators that we consider 
are parallel composition, prefixing and probabilistic choice. We do not consider hiding 
since this paper focuses on strong probabilistic bisimulation. Though we do not enforce 
the fact that output actions do not block, this assumption can safely be added to the 
algebra to make it an 10 calculus | j . 

We assume an underlying set of labels A. Let L? = {a? | a G A} be the set of 
input labels, and L\ = {a\ | a G A} the set of output labels. The set of labels are given 
by L = L? U LI. Every process P is associated with a subset of labels: Pq C LI, the 
set of relevant output labels. This signature is used to constrain parallel composition. 



Prefixing. P = alr-Q where r is a rational number, is the process that accepts input a 
and then performs as Q. The number r is the probability of accepting a?. With proba- 
bility (1 — r) the process P = alr-Q will block on an al label. Sp is given by adding 
a new state, q to Sq. Add a transition labeled al from q to the start state of Q with 
probability r. For all other labels I, add a 11 labeled self-loop at q with probability 1. q 
is the start state of P. 

Output prefixing, P = a\r-Q, where r is a rational number, the process that per- 
forms output action a! and then functions as Q, is defined analogously. In this case, 
Po = Qo U {a!}- For both input and output prefixing, we have: <P{ar.P, ag.P) < c \ 
r — s \. 

Probabilistic choice. P = Q +r Q' is the probabilistic choice combinator that 
choosesQ is with probability r and Q' is chosen with probability 1 — r. Pq = Qo U Q'q- 
Sp = Sq b) Sq>. Now kf {q, A l±l A') = k^{q, A) if q G Sq, and kf {q, A l±l A') = 
kf {q,A') if q G Sq>. We define an initial distribution p: ^({sq}) = r, p({sQ'}) = 
1 — r, referring the reader to sectiorflfor a way to convert to an initial state format. 

We have: d%P +rQ,P+sQ) <\ r - s \ d<^{P, Q); d<^{P +r Q, P' +r Q) < 
rd%P,P'). 



Parallel composition. P = Q \\ Q' is permitted if the output actions of Q,Q' are 
disjoint, i.e. Qo H Qq = 0. The parallel composition synchronizes on all labels in 
Ql(1 Q'l- Pq = Qo W Q'o- Sp = Sq X Sq>. The kf definition is motivated by the 
following idea. Let s (resp. s' ) be a state of Q (resp. Q'). We expect the following 
synchronized transitions from the product state (s, s'). 



t s 



t' 



(s,s')^(t,0 



s t s' t' 



t 



t' 



(s,s')^(f,f') 



The disjointness of the output labels ofQ,Q' ensures that there is no non-determinism. 
Formally, if ; = a! G Qo, then fcf,((s, s'), (f, t')) = kf{{s,s'),{t,t')) = kf,{s,t) x 
kf-f (s', t'). The case when a! G Q'q and I = al is similar. 

Theorem 3. (Contractivity of process combinators) 

— d‘^{lr.P,lr-Q) < cd‘^{P,Q) for any label I 

- d'^{P +r R,Q +r R) < (P{P,Q) for any R 
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- (F{P 1 1 ii, <5 1 1 Q)for any R for which P 1 1 ii, Q 1 1 ^ are defined. 

Thus, theorem^^llows us to conclude that bisimulation is a congruence with respect 
to these operations. 



put,p 



(a) Producer 



get,q 



(b) Consumer 

get,q(l-r) 

put,pr 



get?,l-r 



put?,r 



get?,l-r"--^ get?,l-r 
(c) Buffer, size 2 



put?,e 

put?,r O' 



put,pe 



put,pr 



' get,q(l-r)v_P’= get,q(l-rL 
(d) Producer 1 1 Consumer 1 1 Buffer 2 



Fig. 2. The producer consumer example. 



5.2 A Bounded Buffer Example 

We specify a producer consumer process with a bounded buffer (along the lines of ^J). 
The producer is specified by the 1 state finite automaton shown in FigureHa) — it 
outputs a put, corresponding to producing a packet, with probability p (we omit the ! 
in the labels). To keep the figure uncluttered, we also omit the input-enabling arcs, all 
of which have probability 1. The consumer (Figurejb)) is analogous — it outputs a 
get with probability q, corresponding to consuming a packet. The buffer is an n-state 
automaton, the states are merely used to count the number of packets in the buffer, 
while the probabilities code up the probability of scheduling either the producer or the 
consumer (thus the producer gets scheduled with probability r, and then produces a 
packet with probability p). Upon receiving a put in the last state, the buffer accepts it 
with a very small probability e, modeling a blocked input. The parallel composition of 
the three processes is shown in FigureHd). 

As the buffer size increases, the distance between the bounded buffer and the un- 
bounded buffer decreases to 0. Let Pk = Producer 1 1 Consumer 1 1 Bufferfc, where 
Buffer^ denotes the process Buffer with k states. Then by looking at the structure of the 
process, we can compute that d{Pk, Poo) oc {cpr)^ . Thus we conclude the following: 

- As the bounded buffer becomes larger, it approximates an infinite buffer more 
closely: if m > fc then d^{Pk, Poo) > d^{Pm,Poo)- 

- As the probability of a put decreases, the bounded buffer approximates an infinite 
buffer more closely. Thus if p < p' , d‘^{P'^ , P^) < d‘^{P'P , P^), where the super- 
scripts indicate the producer probability. 

- Similarly, as the probability of scheduling the Producer process (r) decreases, the 
buffer approximates an infinite buffer more closely. 
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put,p+s/4 



put,p+s/8 



Fig. 3. A producer with transient behavior 



5.3 Perturbation Results 

Let P be a plMc. Define Q = {Sp, kf , sp) to be an e-perturbation of P if for all 
labels a, Ws G Sp. VA C Sp \k^{s, A) — k^{s, A)| < e. Small perturbations of the 
probabilities in a plMc yields a plMc that is within a small distance. 

Lemma 6. If c < 1, and Q is an e perturbation of P, then d^(P, Q) < ke where 
k = sup„ nc". 

A note on c = 1. For c = 1, nc” increases without limit, and examplejshows that 
the above lemma does not hold for c = 1. Flowever, suppose P is unfolded and has no 
loops. Let Ci, i G N be non-negative rationals such that e^ = e < 1/3. Now, let Q 
have the same state set Sp , and for each state s at depth n, | fc^(s, A) — (s, A) | < e„ 

for each label a and each measurable set A. Then, d^{P, Q) <1 — exp(— 2e), thus as e 

^ 0,di(P,g) ^ 0. 

5.4 Extracting Behavioral Information 

The definition of the metric has a quantification over all functional expressions. 
However we show that for c < 1, there is a universal function that characterizes the 
e balls around a given state. 

Lemma?. Let s be a state in a labeled Markov process. Let e G (0, 0.5), c G (0, 1). 
Then, there is a function f G such that f(s) = e, and for any state t in any process, 
f{t) = 0 iffd^{s,t) > e 

For finite processes, we can perform a “bisimulation” style matching of transition 
probabilities for nearby states. Let V and V' be finite processes with start states po 
and Pq such that d'^(po) Po) ^ there be a transition from po to p on label a with 

probability r. Then, then there is a state p' of V to which Pq has an a-transition and 
d{p,p') < e/rc. 

We can also use the metric distance to construct bounds on probabilities. Let V 
be a finite process with initial state po and S = {S, i, S, t) be any process such that 
d{V, S) < €. Let / be any function, whose values on the states of P are yi, . . . , Pn, 
where yi < P 2 < ■ ■ ■ < Vn- Let the states be numbered 1 . . .n, lumping together states 
with equal values. Let pi , . . . , Pn be the probability of going to states 1 . . .n from po 
in V on label a. Then, 

J2k<iPk - e/(yi - Pi-l) < Ta{i,{t I f{t) < Pi}) 

J2k<iPk + e/(pi+l - Pi) > Ta{i, {t I f{t) < Pi}) 

'Ek>iPk- ^/iVi+1 - Vi) < Ta{i,{t I fit) > Vi}) 

J2k>iPk + ^/iVi- Vi-i) > ra{i,{t I fit) > Vi}) 
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Thus, we have bounded Ta(i, {t \ f{t) > yi}) by two numbers. The gaps are caused by 
the fact that some states in S may have f{t) = yi. 

6 The Asymptotic Metric 

Let P be a plMc. Then P after a is the same plMc but with start distribution given by 
v{t) = fc(j(s, t). We perform some normalization based on the total probability of the 
resulting initial configuration If 1 ^( 5 ) > 0, it is normalized to be 1; if = 0, 
it is left untouched. This definition extends inductively to P after s, where s is a finite 
sequence of labels (uq, ai, 02 , . . . , Ofc). Note that P after s is identical to P except that 
its initial configuration may be different. 

Define the j distance between P, Q, dfj{P, Q) = sup{d'^(P after s, Q after s) \ 
length{s) — j}. We define the asymptotic distance between processes P and Q, 
d%o{P^Q) to be 

dlo(P:Q) = limsup (Pj{P,Q). 

i — yoo j>i 

The fact that satisfies the triangle inequality and is symmetric immediately follows 
from the same properties for d. 

Example 13. For any plMc P, d^{ar-P, ag.P) = 0, where r, s > 0. Consider from 
Figure^ Without the normalization in the definition of ^3 after s, we would have got 

dl^{ar.A 3 , as. A 3 ) = c\r - s\ 

Example 14. Consider the producer process P 2 shown in Figure^ This is similar to 
the producer Pi in Figure ^ except that initially the probability of producing put 
is more than p, however as more put’s are produced, it asymptotically approaches 
p. If we consider the asymptotic distance between these two producers, we see that 
d‘^{P 2 after put”, Pi after put”) cx Thus dJ^(Pi, P 2 ) = 0. Now by using the 

compositionality of parallel composition (see below) , we see that d^ {Pi \ \ Consumer 1 1 
Buffer^, P 2 1 1 Consumer 1 1 Buffer^) = 0, which is the intuitively expected result. 

Asymptotic equivalence is preserved by parallel composition and prefixing. 

Theorem 4. 1. d%^{lr-P,lr-Q) < d%,{P,Q) for any label 1. 

2 . d^(p||p,g||p) <doo(P,Q). 

Acknowledgements. We have benefited from discussions with Franck van Breugel about 
the Hutchinson metric. 
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Abstract. It is shown that the satisfiability /validity questions in Tem- 
poral Logic of Actions can be translated into satisfiability /validity ques- 
tions in Second Order Temporal Logic and vice versa. The translation 
from Second Order Temporal Logic into Temporal Logic of Actions is 
linear and the translation from Temporal Logic of Actions into Second 
Order Temporal Logic is quadratic. 



1 Introduction 

A concurrent algorithm is usually specified by a program and correctness of the 
algorithm means that the program satisfies some desired properties. A number 
of methods for reasoning about concurrent programs (and hardware devices) are 
based on proof systems for the Temporal Logic (TL). A few years ago Leslie 
Lamport in Q introduced a simpler approach in which both the algorithm and 
the property were specified by formulas in a single logic — the temporal logic of 
actions (TLA) . In TLA correctness of an algorithm means that the formula spec- 
ifying the algorithm implies the formula specifying the property, where “implies” 
is an ordinary logical implication. 

TLA combines two logics: a logic of actions and a standard temporal logic. 
An action is a formula without temporal operators containing variables, primed 
variables, and constant symbols. In general, an action represents a relation be- 
tween the current state and the next state, where the unprimed variables refer 
to the current state and the primed ones refer to the next state. For example, 
x' — y + 1, where x and y are variables, is an action stating that the value of 
X in the next state equals the value of y in the current state plus 1. Elementary 
formulas of TLA are those not containing primed variables or temporal operators 
and formulas of the form □[A]u, where A is an action. The formula [A]u states 
that either A holds between the current and the next states or the value of the 
term t does not change when passing to the next state. In this way “stuttering” 
steps which leave all variables unchanged are allowed. General TLA formulas 
are obtained from the elementary ones using, under certain restrictions, boolean 
connectives, quantification, and the unary temporal operator □ (always). 

TLA was invented to reduce the expressive power of TL and to allow modu- 
larization and refinement. Lamport conjectured in Q that TLA is less powerful 
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then TL, because TLA can only express invariant under stuttering formulas, 
whereas TL can express non-invariant ones as well. 

In this paper we show that TLA and Second Order Temporal Logic (SOTL) 
have the same expressive power, cf. QQ. Namely, we present a syntactical satisfi- 
ability preserving translation of SOTL formulas (not necessarily invariant under 
stuttering) into TLA formulas and a syntactical satisfiability preserving transla- 
tion of TLA formulas into SOTL formulas| Since validity is dual to satisfiability 
we obtain the corresponding validity preserving translations as well. The trans- 
lation from SOTL into TLA is linear and the translation from TLA into SOTL 
is quadratic. In addition, the proofs of correctness of the translations show the 
modifications to be made in temporal interpretations in order to preserve sat- 
isfiability/validity of the translations. It should be pointed out that, contrary 
Lamport’s claim in Q, our translation from TLA into SOTL it relatively sim- 
ple. Also, the existence of a translation from SOTL into TLA is quite surprising 
in view of the expressive power of SOTlJ 

The above transformations, apart from being just of a theoretical interest, 
have a possible practical value. For example, to check whether a program (given 
by a temporal interpretation) satisfies a specification (given by a temporal for- 
mula) one can translate the specification formula into TLA, modify the temporal 
interpretation, and check, using the Temporal Logic Prover based on TLA - TLP 
(I) whether the TLA formula describing the modified temporal interpretation 
implies the translation of the temporal formula. Conversely, to check whether a 
program (given by a temporal interpretation) satisfies a specification (given by 
a TLA formula) one can translate the specification formula into SOTL, modify 
the temporal interpretation, and check, using temporal logic provers, e.g., Stan- 
ford Temporal Prover - STeP (Q) whether the modified temporal interpretation 
satisfies the translation of the TLA formula. 

The paper is organized as follows. In the next section we recall the notion 
of temporal interpretation. In Section J we introduce an “intermediate” logic 
ERTLA and define the syntax and semantics of TLA. In Sectionjwe recall the 
syntax and semantics of SOTL and embed ERTLA into that logic. In Section | 
we introduce the time variable needed for simulation of the ordinary (ERTLA) 
satisfiability by the TLA satisfiability and vice versa, and for the embedding 
of SOTL into ERTLA. The corresponding results are presented in Sections^H 
andj respectively. In order to use the time variable in the translations in the 
above three sections we must assume that the interpretation domain is infinite. 
Thus, in Section Q we show how finite domains can be simulated my infinite 
ones. Finally, in Section^] we combine all the results from the previous sections 
to obtain the desired intertranslations between SOTL and TLA. 



^ That is, a formula is SOTL-satisfiable if and only if its translation is TLA-satisfiable 
and vice versa. 

^ Note that the expressive power of SOTL is like that of Second Order Arithmetic. 
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2 Temporal Interpretations 

All temporal logics considered in this paper have two types of variables: one - 
ordinary variables whose interpretation is rigid, i.e., does not change in time, 
and the other - variables whose interpretation is flexible, i.e., may have different 
values in different states. The latter will be referred to as flexible variables and 
will be denoted by bold-face letters x,y,z, etc. 

Semantics of all temporal logics considered in this paper is based on the 
notion of temporal interpretations defined below. First we recall the definition of 
interpretations of Predicate Calculus (PC). 

A PC interpretation s consists of a non-empty domain Dg, an assignment 
to each n-place function symbol / of an n-place function /® : ZDg | an 

assignment to each n-place predicate symbol P of an n-place relation P® on Dg, 
such that =® is the identity relation on Dg, and an assignment to each (rigid) 
variable x of an element of Dg. 

A temporal interpretation M is a PC interpretation together with an assign- 
ment to each flexible variable under consideration a; of a function : N ^ 
where N denotes the set of non-negative integers. For a non-negative in- 
teger i, x’^{i) is the value of x at the ith state (or in the ith moment of time). 
That is, (interpretations of) flexible variables may change in time. 

One can think of a temporal interpretation M as of a sequence of states 
M = So, si, . . . which are PC interpretations over the same domain which differ 
only in (PC) assignments to flexible variables. Namely, for a flexible variable x, 

xSi jg x’^{i). 

Let Ml and M 2 be temporal interpretations and let x {x) be a rigid (flexible) 
variable. We write M\ =x M 2 (Mi M 2 ) if Mi and M 2 assign the same 
values to all variables other than x (x). 

Finally, let M = sq, si, . . . be a temporal interpretation and let z be a non- 
negative integer. We denote by Af''* a temporal interpretation obtained from 
M by removing its first i states, i.e., = Si, s^+i, .... In particular, for a 

flexible variable x, x“ ' (j) = x“(j -|- z), j = 0, 1, . . .. 

3 Temporal Logics of Actions 

First we introduce a new temporal logic called Extended Raw Temporal Logic 
of Actions (ERTLA) . ERTLA is a second ordei| temporal logic that contains 
as fragments both the Raw Temporal Logic of Actions (RTLA) and Simple 
Temporal Logic of Actions (STLA) introduced in Q and used as preliminary 
steps in the definition of TLA. In addition, the syntax of ERTLA contains the 
syntax of TLA. The language of TLA formulas with the ordinary (ERTLA) 
semantics serves as an intermediate station between the intertranslation of SOTL 

® We treat the constants as 0-place function symbols. 

^ For a temporal interpretation M based on a PC interpretation s we write Dm, /“, 
and for Dg, f”, P“ , and x”, respectively. 

® Because quantification over flexible variables is allowed. 
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and TLA. Namely we first translate SOTL and TLA into the intermediate logic 
and then we translate that logic into TLA and SOTL, respectively. 

The language of ERTLA is obtained from the language of PC by 

— dividing its variables in two sorts: one - ordinary variables, whose (tempo- 
ral) interpretation is rigid, and the other - variables whose interpretation is 
flexible. The latter are referred to as flexible variables and are denoted by 
bold-face letters x, y, z, etc. 

— adding to the language of PC a unary function ' - prime and a unary tem- 
poral operator □ - always. As usual, O - eventually is an abbreviation for 

The formula formation rules of ERTLA are the ordinary ones with the ex- 
ception that ' can be applied to unprimed flexible variables only: the meaning 
of x' is the value of x in the next state. 

Next we define the semantics of ERTLA. 

For a temporal interpretation Af, a non-negative integer i, and a term t we 
define the value of t in the ith state of M, denoted t"’* by induction, as follows. 

— If t is a rigid variable x, then = x"; 

— if t is a flexible variable x, then = x{i); 

— if t is of the form x' , then t"’® = x{i + 1); and 

— if t is of the form /(ti, . . . , tfc), where / is a fc-place function symbol, then 

^ ^ treat constant symbols as 0-place 

function symbols. 

We say that a temporal interpretation M satisfies an ERTLA formula (p, 
denoted M \= p, if the following holds. 

— If is an atomic formula P{ti, . . . , tk), then M \= p ii and only if 

— M 1= ^p if and only if M[^p; 

— M \= p \i and only if M |= p implies M |= tp; 

— M ^ 3xp if and only if there exists a temporal interpretation such that 
Mx =x M and |= p] 

— M ^ 3xp if and only if there exists a temporal interpretation such 

that M and \= p] and 

— M ^ Up if and only if for each i = 0, 1, . . ., Af'*'® \= p. 

A formula is {fPKTljK-)satisfiahle/valid, if it is satisfied by some/any temporal 
interpretation. 

Definition 1. The Raw Temporal Logic of Actions (RTLA) is the fragment of 
ERTLA consisting of all ERTLA formulas without quantified flexible variables 
which do not contain □ in the scope^ rigid variable quantifiers. RTLA formulas 
not containing □ are called actions^ 



An action can be thought as a relation between two consecutive states of a temporal 
interpretation. 
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Next we define the Simple Temporal Logic of Actions (STLA) that is ex- 
tended to TLA by allowing, under certain restrictions, quantification over rigid 
and flexible variables outside of □. We shall need the following notation. For an 
expression E not containing ', we denote by E' the expression that is obtained 
from E by replacing all occurrences of every flexible variable x in E with x' . 

Let A be an action and t be a term not containing We shall denote the 
formulas A V U = U' and A A U U' by [A]u and (A)u, respectively. 

Now we define STLA as the fragment of RTLA (see Definition^ where each 
action A containing ' appears in the form □[A]u- Since is equivalent 

to 0 (A)u, the latter is an STLA formula as well. We refer the reader to ^ for 
a comprehensive study of STLA. 

Finally, for two tuples of terms (ui, U2 , . ■ ■ , u„) and {v\,V2 - ■ u„), denoted 

n 

u and V, respectively, we abbreviate the formula /\ Ui = Vihy u = v. It can be 

n 

easily verified that [A\^ is equivalent to /\ [AJh)- Thus, both □(Avd = ti') and 

i —1 

0 (A A fi ^') are STLA formulas. 

As it has been pointed out in P, satisfiability of an STLA formula by a 
temporal interpretation M is not affected if we add to (or remove from) M 
stuttering steps. To be more specific, we need the following notation. 

Let M = So, si, . . . be a temporal interpretation. 

For a non-negative integer i we denote by ^{i) the maximal integer j > i 
such that for all fc = i, i -|- 1 , . . . , j, Sk = s^. That is, all the computation steps 
between i and /i(z) are stuttering. Note that if Sk = si for all k > i, i.e., the 
computation is halted, ^{i) is undefined. 

Next we define a function I5 : N ^ N by 

... _ f ^(0) if ^(0) is defined 
^ (0 otherwise 



and 

hr,' _Li 'I - / + 1) Ai(tl(*) + 1) is defined 

y \\{i) + 1 otherwise 

Finally we define a temporal interpretation t]Af by t]Af = 5^(0), Sh(i), ■ ■ By 
definition, [\M is obtained from M by removing all stuttering steps, i.e., all 
states Si such that no flexible variable changes its value when passing to the 
state Si+i, or, in other words, by removing all states Si such that s^+i = Si. 

Now the precise statement of invariance under stuttering is as follows. 

Definition 2. We say that satisfiability of a formula ip is invariant under stut- 
tering if for all temporal interpretations Mi and M2 such that 'CfMi = ^M2, 
Ml \= ip if and only if M2 |= p- 

At last we have arrived to the definition of the syntax of TLA. The definition 
is by induction, as follows. 
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— Each STLA formula is an atomic TLA formula; 

— ii ip and '0 are TLA formulas then -'ip and ip D ip are TLA formulas; and 

— if is a TLA formula, a; is a rigid variable and a; is a flexible variable, then 
3xip and 3xip are TLA formulas. 

It was pointed out in Q that (the ordinary ERTLA-) satisfiability of TLA 
formulas is not invariant under stuttering. 

Example 1. Suppose, for the sake of argument, that there is an STLA formula 
F{x^ y) stating that always x changes before y and x and y never change si- 
multaneously. It follows that a temporal interpretation M with 



satisfies 3xF{x^y), because the temporal interpretation obtained from M 
by interpreting x as 



Obviously, tjiVf = tjiVfi. However, MiY=3xF{x,y), because, in Mi, y changes 
already in the initial state. Thus, satisfiability of TLA formulas is not invariant 
under stuttering. 

To obtain invariance under stuttering Lamport in Q introduced a new notion 
of satisfiability of TLA formulas that will be referred to as the TLA-satisfiability 
and is defined as follows. 

Let ip he a, TLA formula and let M be a temporal interpretation. We say 
that M TLA-satisfies ip, denoted M ^tla if the following holds. 

— If is an STLA formula, then M ^tla ‘f if and only if M ^ ip-, 

— M ^tla if and only if M^^^^ip-, 

— M |=tla V? T) 0 if and only if M |=tla implies M |=tla 0; 

— M ^tla 3xip if and only if there exists a temporal interpretation M i such 
that Ml =x M and Mi ^tla V^; and 

— M ^tla 3xip if and only if there exist temporal interpretations Mi and 
M 2 such that tjiVfi = \\M, M 2 =□, Mi, and M 2 |=tla 'A- 

Example 2. Let F(x, y), M, M„,, and Mi be as in Example^ Then Mi ^tla 
3xF{x,y), because '^M = '^Mi, M, and M„, Htla F{x,y). 

In general, it was shown in Q that TLA-satisfiability (of TLA formulas) is 
invariant under stuttering. 

We conclude this section with an additional example which illustrates the 
difference between the ordinary satisfiability and the TLA-satisfiability. 

Example 3. This example deals with the formula 3x'iyU[x 0 x']y stating that 
some X changes at least as fast as any other y|This formula is ERTLA- valid. 

^ That is, in each computation step where y changes, x changes as well. 




a^b 




satisfies F{x,y). Let Mi be a temporal interpretation where 
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Indeed, let M be a temporal interpretation. If consists of only one element, 
obviously, M ^ 3 xiy[x yf x']y. If there are two distinct elements a and b in 
Dm, then for the temporal interpretation M with 

M/ \ f a i is even 
W = |6zisodd 



we have |= Vy[a; yf x']y. 

On the other hand, the negation Va;3yO (a; = x')y of 3a;Vyn[a; y^ x']y is TLA- 
satisfied by all temporal interpretations whose domain contains two or more 
distinct elements. That is, 3a;VyD[a; yf x']y is “almost a TLA-contradiction.” 
Indeed, let M be a temporal interpretation such that there are two distinct 
elements a and b in D^. It suffices to show that for all “stretchings” Mi of 
M and all assignments to x in Mi there is a stretching M2 of Mi and an 
assignment to y in M2 such that, in M2, in some moment, y changes before 
X. Let Ml = si^o, si,i, ... be a stretching of M with any assignment to x. We 
have to show that there are two temporal interpretations Mi and M 2 such 
that tjiVifi = tlAfi, M 2 =y Ml, and M 2 ^ 0{x = x')y. We define Mi by 
“doubling” the first state si_o of Mi, i.e.. Mi = si_o, si,o, si,i, ■ • ■, and obtain 
M 2 from Ml assigning to y 



y"\i) 



a i = 0 

b i = 1 , 2 ,... ■ 



Then M2 \= x = x’ A y ^ y' , implying M2 ^ 0 (a; = x')y. 

In Section 5 we show that the TLA satisfiability can be interpreted by the 
ordinary (ERTLA) satisfiability and in Section Q we show that the ordinary 
satisfiability can be interpreted by the TLA satisfiability. 



4 Second Order Temporal Logic 

In this section we recall syntax and semantics of Second-Order Temporal Logic 
(SOTL) and embed ERTLA into that logic. The language of SOTL is obtained 
from the language of PC by 

— dividing its variables in rigid and flexible and 

— adding to the language of PC two unary temporal operators o - next and □ 
- always, and one binary temporal operator U - until. 

The satisfiability of a SOTL formula v? by a temporal interpretation M, also 
denoted M ^ ip, is defined by the following induction. 

— The cases of atomic formulas, boolean connectives, quantifiers over rigid 
and flexible variables, and the temporal operator □ are exactly as those in 
ERTLA and are omitted; 

— M \= oif if and only if |= ip-, 
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— M ^ iplAij) if and only if there is an i = 0, 1, . . such that ^ ijj and 

for each j = 0, 1, . . . , i — 1, \= ip. 

A (SOTL) formula is SOTL-satisfiable/valid, if it is satisfied by some/any 
temporal interpretation. 

Next we present a satisfiability preserving translation of ERTLA formulas 
into SOTL formulas. 

Let ■ j 2/n be all primed flexible variables that appear in an ERTLA 
formula ip. For each j = 1, . . . , n we pick a “new” rigid variable y° and for a 
term t that appears in ip we denote by t° the result of simultaneous replacement 
of each y' with y°, j = 1, ... ,n. Now we define the translation of ip into SOTL, 
denoted by induction as follows. 

— If (/j is an atomic formula P{ti , . . . , tk), then is 

n 

Vy?...Vy“((/\o(y^. = y°))DP(t?,...,t°J). 
i=i 

— {ip D and are 

^soTL ^ ^soTL^ and respectively. 

Theorem 1. An ERTLA formula ip is (ERTLA-) satisfiable if and only if the 
SOTL formula is (SOTL-) satisfiable. 

5 The Time Variable 

In this section we introduce the time variable t needed for translations of ERTLA 
into TLA, of TLA into ERTLA, and of SOTL into ERTLA. The definition is 
similar to that of the time predicate in Q. The time variable is intended to 
simulate the external time. In particular, let ip be an ERTLA formula, a; be a 
free flexible variable of ip, and let M = sq, si, . . . be a temporal interpretation. If 
for some i = 0, 1, . . ., \= x ^ x' , then (the assignment to) the time variable 

t advances to the next value in the state s^+i. To define the time variable t we 
shall need the following notation. 

Let < be a two place predicate symbol that do not belong to the original 
language of ERTLA. We denote by DORD the sentence stating that < is an 
infinite discrete partial order. That is, DORD is the conjunction of the partial 
order axioms with \/x3yNEXT{x,y), where NEXT{x,y) denotes the formula 

X < y A Vz(a; < z D {y < z V y = z)) 

saying that y follows x in the order imposed by <. 

Finally, let V ^p denote the set of all free flexible variables of ip. 

For an ERTLA formula ip we define the “time variable axiom of (/?,” denoted 
T,p , as 



DORD AU[NEXT{t,t')](^^^^P, A UO{true)^. 



282 Arkady Estrin and Michael Kaminski 



Note that is an STLA formula where the conjunct 
implies that t changes at least as fast as any of the free flexible variables in 
and the conjunct n<>{true)t implies that the time t never stops, i.e., changes 
forever. 

Obviously, the time axiom T^p cannot be satisfied by temporal interpretations 
over finite domains. Thus, till Section ^ we assume that all temporal interpre- 
tations under consideration are over infinite domains. In Sectionjwe show how 
finite domains can be simulated by infinite ones. 

6 Simulating the ERTLA Satisfiability by the TLA 
Satisfiability 

In this section, using the time variable, we present a translation of TLA formulas 
into TLA formulas such that a TLA formula is ERTLA-satisfiable (by a temporal 
interpretation with an infinite domain) if and only if its translation is TLA- 
satisfiable. The translation t) of a formula (p depends on the time variable 
t and is defined by induction as follows. 

— If is an STLA formula, then t) is p itself; 

— D '0,t), and lF(3§(/3,t) are D and 

3xT{ip,t), respectively; and 

— T{3xip, t) is 3a;(n[< ^ t']^ A t)). 

The relativization of the existential quantifier over the flexible variable x to 
□ [< yf t']^ in the last point is intended to neutralize the influence of adding/ 
removing stuttering steps before choosing an appropriate assignment to x when 
passing to the TLA-satisfiability. Namely, the assignment to x cannot change 
faster than the assignment to t that does not change in the stuttering steps. 

The relationship between the formulas ip and T{p,t) is as follows. 

Theorem 2. A TLA formula p is ERTLA-satisfiable by a temporal interpreta- 
tion over an infinite domain if and only ifT^{t) is TLA-satisfiable. 

Example Hbelow illustrates the influence of the conjunct yf t']^ on the 
assignment to x in interpretations which satisfy the formula translation. 

Example 4- Let F{x, y) and Mi be as in Example^ Then, as it has been shown 
in that example, Mi^3xF{x, y), but Mi ^tla 3a;F(a;, y). We shall prove that 
there is no assignment to t (in M i ) such that M i TLA-satisfies the translation 
Laa.F(o.,i,)(i) A3a;(n[t y^ t']^AF{x, y)) of 3a;F(a;, y). Assume to the contrary that 
for some : N ^ Dm, Afi (=tla Taa.F(a.,i,)(^) A 3a;(n[t yf t']„, A F(a;, y)). That 
is, there exist temporal interpretations Mi and M 2 such that \\Mi = tjAfi, 
M 2 =o. Ml, and M 2 \= T^a,F{a,,y){t) A □[< y^ A F{x,y). However, by the 
conjunct yf in M 2 , the first change of x cannot occur before the first 
change of t. The latter occurs together with the first change of y, because, in 
Ml, y changes already in the first state. Therefore, in M 2 , y changes before 
X, which is impossible, because M 2 H ^(®,2/)- That is, we have arrived to 
contradiction, which completes the proof. 
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7 Simulating the TLA Satisfiability by the ERTLA 
Satisfiability 



In this section, using the time variable, we present a translation of TLA formulas 
into TLA formulas such that a TLA formula is TLA-satisfiable (by a temporal 
interpretation with an infinite domain) if and only if its translation is ERTLA- 
satisfiable. The idea lying behind our translation is illustrated by Example | 
below. 

Example 5. Again, let F{x,y) and Mi be as in Example H Then, as it has 
been shown in that example. Mi ^tla ^xF{x,y), but Mi^3xF{x,y). To 
simulate the TLA satisfiability of 3xF{x, y) by the ERTLA satisfiability in Mi 
we first replace the free flexible variable y with a new free flexible variable Uy 
that behaves like y after adding/removing stuttering steps, and then to find an 
assignment to x such that the resulting interpretation Mi satisfies F{x,Uy). 

For example, we can put 






a i = 0, 1 
6 i = 2,3. . . 



and 



x^^{i) 



a i = 0 

bi = l,2... ■ 



The free variable Uy is introduced in three steps. 



1. First, we “add to Afi” a new time variable t whose assignment changes in 
each computation step. 

2. Then we add an additional time variable whose assignment simulates t 
after adding/removing stuttering steps to Mi. 

3. Finally, we add Uy whose assignment respects 

After all that we choose an appropriate assignment to x. For example, this can 
result in the following sequence of states (temporal interpretation) Mi that 
satisfies F{x,Uy). 

{x^^ = a, = a, = tq, if ^ = tq, wf ^ = a) 

(£c“i = b, = b, = ri, ifi = tq, ttfi = a) 

{x^i = b, = b, = T2, ifi = n, wfi = b) 



Our translation involves the (TLA) formula 

^true (i) A \fu(T^.py^g{u) D n[i yf t ]„) 

denoted FT{t). This formula states that t is the fastest time variable. That is, 
the assignment to t in temTOral interpretations (ERTLA-) satisfying FT{t) must 
change from state to state| 



8 



In particular, FT{t) implies T^{t) for all formulas ip. 
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We shall also need the (TLA) formula 

^ (^1 “ ^ 2 ) 

denoted S{ti,t 2 ), whose intended meaning is that t 2 simulates ti after adding/ 
removing stuttering steps. Namely, S(ti,t 2 ) will appear in conjunction with 
FT{ti). In this case, it states that <2 is a time variable whose initial value is 
equal to that of the fastest time variable ti. Thus, the whole range of <2 is equal 
to that of < 1 , even though ti may change faster than < 2 - 

Now we define the desired translation of TLA formulas. For a TLA formula 
and a new flexible variable t (the fastest time variable) we define a TLA formula 
t) by induction as follows. 

— If is an STLA formula, then t) is ip itself; 

— G{^p,t), G{p D -0, i), and G{^%p,t) are ~^G{p,t), G{p,t) D G{ip,t), and 
3xG{p,t), respectively. 

— Assume that all free flexible variables of <p are among x,yi, . . y^. Then 
G{3xip{x,y^, . ..,y^),t) is 

3t^3Uy^ . . . 3Uy^3x{ S{t, t^)A 

m 

VtVy A (0(^ = t^yi = y) = = tDUy.= y))A 

i—1 

GMX,Uy^,...,Uy^),t)). 

In the last point of the definition of G, the quantifier part 3t^3Uy^ . . . 3Uy^ 
reflects adding/removing stuttering steps to the original temporal interpretation 
and 3x states that there is an appropriate assignment to x in the temporal 
interpretation “after adding/removing stuttering steps;” the conjunct 
assures that (subject to satisfiability of FT{t)) simulates t in the stretched 
temporal interpretation; the conjunct 

m 

VtVy !\ {0{t = tAyi = y) = a{t^ = tDUy.=y)) 

i=l 

assures that the new flexible variable Uy. simulates y^, i = l,...,m, in the 
stretched temporal interpretation; and the last conjunct G{p>{x, u^o, ■ ■ ■ , m\), t) 
is the recursive call of the translation of p{x^ Uy ^, . . . , Uy^)- 

Theorem 3. A (TLA) formula ip is TLA-satisfiable by a temporal interpre- 
tation over an infinite domain if and only if the formula FT(t) A G{p,t) is 
ERTLA-satisfiable. 

Examplejbelow continues Example^ 



Example 6. Let Mi be as in Example H It can be easily verified that M\ ^ 
FT{t) A G{3xF{x, y),t). 
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8 Embedding SOTL into ERTLA 

In this section we embed SOTL into ERTLA. For a SOTL formula ip, a rigid 
variable u that does not appear in cp, and the time variable t we define an ERTLA 
formula Ti.{(p, t, □) whose intended meaning is that p holds at the moment u of 
the time t. The formula □) is defined by induction as follows. 

— If (/j is an atomic formula, then Ti{p^ t, □) is n(t = u p); 

— H{^p,t,r\), H{p O ^/>, n), and H{3^p,t,r\) are -^H{p,t,r\), H{p,t,r\) D 
Hitp, t, n), and 3xH{p, t, n), respectively; 

— H{3xp, t, n) is 3a;(n[t yf t']^ A H{p, t, □)) 

— Ti\op, t, n) is yv{NEXT{u, v) D Tilp, t, C)); 

— (□(/?, t, n) is yv{{v > u A 0(t = v)) D 'H{p, t, C)); and 

— T-i\pU4>: t, n) is 

> m) A 0{t = v) A t, C) A V3(n < 3 < E 3 Ti-ip, t, □)). 

Theorem 4. A SOTL formula p is (SOTL-) satisfiable by a temporal inter- 
pretation over an infinite domain if and only if the formula T^{t) A (t = u) A 
'H{p,t,r\) is (ERTLA-) satisfiable. Thus, combining T/ieoremsJ ondH we ob- 
tain a satisfiability preserving translation from SOTL into TLA. 

Remark 1. Since T,p(t) is a TLA formula and TLipp, t, □) does not contain primed 
flexible variables, A (t = u) A ^.{p, t, □) is a TLA formula. Thus, combining 
Theorems we obtain a satisfiability preserving translation from SOTL 

into TLA. 

9 Simulating Finite Domains by Infinite Domains 

In this section, using the “relativization technique” we show how satisfiability by 
temporal interpretations over an infinite domain can be simulated by the stan- 
dard satisfiability. This simulation step is required because we need infinitely 
many domain elements to simulate time. It is combined with the translations 
from the previous sections, which results in an “unconditional” validity preserv- 
ing translation. 

We shall use the following notation. Let ii be a new unary predicate symbol 
and let p he a, formula over the original language. We denote the formulas 
3a;(i?(a;) A <^(a;)) and 3x(Dii(x) A (/^(a;)) by 3rxp{x) and 3rxp{x), respectively. 

The R- relativization of p, denoted pn is the formula that is obtained from p 
by replacing the quantifier 3 with 3^. Also, we denote by the conjunction of 
the all formulas of the form Wxi . . . Va;„3a;(/(a;i , . . . , Xn) = x), all formulas of the 
form 3y(y = x), and all formulas of the form 3yD(y = x) where f is a function 
symbol that appears in p and x/x is a free rigid/fiexible variable of p. 

Proposition 1. Let p be an SOTL/ERTLA/TLA formula. Then p is SOTL/ 
ERTLA/TLA-satisfiable if and only if 3xR{x) A F'/ A pn is SOTL/ ERTLA/ 
TLA-satisfiable by a temporal interpretation over an infinite domain^ 



® We need the conjunct 3xR{x) to ensure that R is not empty and the conjunct F'/ 
is required because for each (n-place) function symbol / (a rigid/flexible variable 
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10 Summary 

Combining Theorems and | with Proposition | we obtain satisfiability 

preserving translations of TLA into SOTL and vice versa. Since validity is dual 
to satisfiability, the above translations can be easily transformed into validity 
preserving ones. 

Our last remark is that the translation from SOTL into TLA is linear, 
whereas the converse translation is quadratic. 
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Abstract. This paper investigates an approach for statically preventing 
race conditions in an object-oriented language. The setting of this work is 
a variant of Gordon and Hankin’s concurrent object calculus. We enrich 
that calculus with a form of dependent object types that enables us 
to verify that threads invoke and update methods only after acquiring 
appropriate locks. We establish that well-typed programs do not have 
race conditions. 



1 Introduction 

Concurrent object-oriented programs suffer from many of the errors common in 
concurrent programs of other sorts. In particular, the use of objects does not 
diminish the importance of careful synchronization. With objects or without 
them, improper synchronization may lead to race conditions (that is, two pro- 
cesses accessing a shared resource simultaneously) and ultimately to incorrect 
behavior. 

A standard approach for eliminating race conditions consists in protecting 
each shared resource with a lock, requiring that a process acquires the cor- 
responding lock before using the resource Q. Object-oriented programs often 
rely on this approach, but with some peculiar patterns. It is common to group 
related resources into an object, and to attach the lock that protects the re- 
sources to this object. Processes may acquire the lock before invoking the meth- 
ods of the object; alternatively, the methods may acquire this lock at the start of 
their execution. With constructs such as Java’s synchronized methods BQ, 
some object-oriented languages support these synchronization patterns. How- 
ever, standard object-oriented languages do not enforce proper synchronization; 
it remains possible, even easy, to write programs with race conditions. 

This paper investigates a static-analysis approach for preventing race condi- 
tions in an object-oriented language. The approach consists in associating locks 
with shared object components and in verifying that appropriate locks have been 
acquired before each operation. In the object-oriented language that we treat, 
the object components are methods; they can be both invoked and updated. 
(Fields are a special case of methods B.) Thus, the approach consists in asso- 
ciating locks with methods and in verifying that appropriate locks have been 
acquired before each method invocation and update. Because a method invoca- 
tion may trigger other operations, several locks may be required for it; only one 
lock is required for a method update. 
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@ Springer-Verlag Berlin Heidelberg 1999 
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The annotations and checks necessary in our static analysis are expressed 
in a type system. Like standard type systems, this type system assigns a type 
to each of the methods of an object. In addition, it gives the set of locks that 
must be held before invoking the method and the lock that must be held before 
updating the method (or an indication that the update is forbidden). Each of 
these locks may be external to the object, but it may also be a special lock 
associated with self, that is, with this object. 

Thus, we are led to a type system with dependent types, in which the type of 
an object refers to values, namely to locks. However, the type system is restrictive 
enough to preserve the important phase distinction between compile-time and 
run-time All our checking takes place at compile-time (without excluding 

the possibility of further run-time checking) . 

The checking guarantees the absence of race conditions: if a program is well- 
typed, then during its execution no two threads attempt to access an object 
component at the same time. In addition, the checking guarantees the absence of 
standard run-time type errors ( “message-not-understood” errors) . Our approach 
can handle some interesting, common examples, as we demonstrate. Although it 
is far from complete, we believe that it represents a sensible compromise between 
simplicity and generality, and a worthwhile step in the ongoing investigation of 
the use of types for safe locking. 

Background 

In a recent paper we developed an analogous technique for a basic calculus 
with reference cells but no data structures. In that paper, singleton types (types 
with one single element) enable the tracking of locks; existential types permit 
the hiding of singleton types for locks. That paper also describes a technique for 
avoiding deadlocks, which it should be possible to adapt to the setting of the 
present paper. The substantial novelty of the present paper is the treatment of 
objects, object types, and subtyping. Here we avoid the use of singleton types 
and existential types, and resort to specialized dependent types instead. These 
dependent types require somewhat less conceptual machinery and support more 
flexible subtyping relations. 

In addition to our own previous work, we rely on Gordon and Hankin’s 
concurrent object calculus concq Q. This calculus is a small but extremely 
expressive concurrent object-oriented language; it features a compact and elegant 
presentation of the concepts of expression, process, store, and configuration. We 
refer the reader to Gordon and Hankin’s work for motivations for this calculus 
and additional examples and technical developments. 

The calculus cone:; extends a sequential calculus of Abadi and Gardelli Q, 
adopting the basic type structure and subtyping relation of that sequential calcu- 
lus. Here we extend the type system with our form of dependent types. Gordon 
and Hankin’s type system does not attempt to guarantee the absence of race 
conditions; our type system provides that guarantee. 

For simplicity, we omit the cloning construct from coneq. We also replace the 
synchronization primitives that Gordon and Hankin presented as an extension to 
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conc(^. Those primitives are two separate operations for acquiring and releasing a 
lock. Instead, we use the expression lock v in a, which acquires the lock denoted 
by V, evaluates a, then releases the lock. Like Java’s synchronized statement, 
the expression lock v in a automatically guarantees the proper nesting of lock 
operations, helping static checking. Moreover, our calculus associates locks with 
objects (unlike conc(;, but like Java). 

There are some other languages that we might have used as a starting point 
for this work instead of conc(^, in particular Di Blasio and Fisher’s concurrent 
object calculus Q. However, we prefer to base our work on that of Gordon and 
Hankin, for two main reasons. First, Di Blasio and Fisher’s calculus permits 
object extension but not subtyping, unlike conc(^ and unlike most typed object- 
oriented languages; we wish to treat subtyping. Furthermore, Di Blasio and 
Fisher’s calculus combines synchronization mechanisms with the primitive oper- 
ations on objects. Like Gordon and Hankin, we prefer to keep synchronization 
separate from object operations, although our object types do mention locks. 
Di Blasio and Fisher’s interesting study does not address race conditions, but 
shows that certain synchronization guards do not have side-effects. 

Other pieces of related work are discussed in our recent paper. These rely on 
a variety of techniques, including program-verification methods and data-flow 
analyses, for example. One of the most relevant is the work of Kobayashi and 
Sumii which develops a type-based techniques for avoiding deadlocks (not 

necessarily race conditions) in the context of a process calculus. Another one is 
Warlock a system for partial detection of race conditions and deadlocks in 
ANSI G programs. We are not aware of any work that specifically addresses race 
conditions in object-oriented programs. In another direction, there have been 
intriguing explorations of the combination of dependent types with objects and 
subtyping, with an emphasis on logical frameworks rather than programming 
languages 

Outline 

The next section presents the syntax and informal semantics of the concurrent 
object-oriented language that we treat; an appendix contains a formal seman- 
tics. Section ^develops our type system for this calculus. SectionQshows some 
example applications of our type system. Section ^considers formal properties. 
Finally, section ^concludes. Proofs are omitted. 

2 A Concurrent Object Calculus 

This section describes our variant of Gordon and Hankin’s concurrent object 
calculus. It is largely a review. 
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2.1 Syntax 

We define the sets of results, denotations, lock states, and terms by the grammar: 



Syntax 

u, V ::= 

X 

P 

d-.:= 

[ii = q{xi)bi 

m ::= 

• 

o 

a, 6, c ::= 
u 

{i^p)a 

pi-^d 

u.i 

ul <^{x)b 
let x=a in b 
al* b 

lock u in a 
locked p in a 



results 

variable 
name 
denotations 
object 
lock states 
locked 
unlocked 
terms 

result 
restriction 
denomination 
method invocation 
method update 
let 

parallel composition 
lock acquisition 
lock acquired 



Results include both variables and names. Variables represent intermediate 
values, and are bound by methods and by let expressions let x=a in b; 

both of these constructs bind the variable x with scope b. Names represent the 
addresses of stored objects. They are introduced by a restriction (yp)a, which 
binds the name p with scope a. We let fn{a) and fv{a) denote the sets of free 
names and free variables in a, respectively. We write a^u ^ b^ to denote the 
capture- free substitution of b for all free occurrences of u in a. We write a = b to 
mean that a and b are equal up to the renaming of bound variables and bound 
names, and the reordering of object methods. 



2.2 Informal Semantics 

A denotation [ii = q{xi)bi describes an object containing a collection of 

methods. Each method has a label £i and consists of a self parameter Xi and a 
body bi- In addition, the object has an associated lock whose state is described 
by m. If m = •, the lock is held by some term in the program; if m = o, the 
lock is unlocked. (As a straightforward extension, each object could have several 
associated locks.) 

A denotation may appear in a denomination p i— > d, which maps the name 
p to the denotation d. Intuitively, this term represents the portion of the store 
containing the object d, and p represents the address of that object. The term 
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{vp)a introduces a fresh name p and then evaluates a. This operation corresponds 
to allocating a fresh address p at which objects can be stored. Thus the language 
separates name introduction {vp)a from name definition p^-^d] the type system 
forbids programs with multiple definitions of the same name. 

A method invocation ul invokes the method i of the object u. A method 
update ul <;= <;(a;)6 replaces the method ioiu with <^{x)b. The term let x=a in b 
first evaluates a to yield a result, binds x to this result, and then evaluates b. A 
parallel composition a f b evaluates both a and b in parallel. The result of this 
parallel composition is the result of b; the subterm a is evaluated only for effect. 

The lock operation lock u in a functions in a similar manner to Java’s 
synchronized statement: the lock on the object u is acquired; then the sub- 
term a is evaluated; and finally the lock is released. The implementation of this 
construct relies on an auxiliary construct locked p in a, which indicates that the 
lock p has been acquired and that the term a is being evaluated. Locks are not 
reentrant, so expressions like lock u in lock u in a will deadlock; similarly, calls 
to the recursive method i oi\i = q{x)lock x in x.i]° will deadlock (cf. Java). 

The appendix contains a detailed formal semantics of the language. It is a 
chemical semantics in the style of Berry and Boudol It consists of a group of 
structural congruence rules, which permit the rearrangement of terms and imply 
for example that is associative, and a group of reduction rules, which model 
proper computation steps. 

A typical structural congruence rule is: 

a\^ 8\b]= £\a\* b] (if /n(a) n bn{£) = 0) 

where £ denotes an evaluation context: 

£ ::= [ • ] I let x=£ inb\£^b\a^£ \ (yp)£ \ locked p in £ 

and the binding names bn(£) of an evaluation context are the names p bound 
by a restriction {vp)£' that encloses the hole [ • ]. 

For our purposes, the two most interesting reduction rules are: 

(pi— > [. . .]°) lock p in a (pi— >[...]*) locked p in a (Red Lock) 

(pi-^ [. . .]•) ^ locked p in u — > (pi-^- [. . .]°) u (Red Locked) 

where [. . .] represents an object (excluding its lock state). The rule (Red Lock) 
evaluates a lock operation by acquiring the lock associated with p, and yielding 
the term locked p in a. Subsequent reduction steps may then evaluate a. Once 
a is reduced to some result u, the rule (Red Locked) releases the lock on p and 
returns u as the result of the locked expression. 



2.3 An Example 

For clarity, we present example programs in an extended language with integer 
constants and operations, and we abbreviate let x=a in b to a;b when x ^ fv{b). 
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A counter that has a read method and an increment method, and initially 
contains the integer n, can be defined as: 

countn = [val = <^{x)n, 

read = e,{x)x.val, 

inc = e,{x)let t=x.val + 1 in x.val <= 

The following program allocates a counter (initially containing 0) , increments 
the counter, and then reads the value of the counter. 

{vp){pi-^ count 0 f {p. inc; p. read)) 

As expected, this program reduces to {i'p){p^ count \ 1), since the counter 

works correctly in a sequential setting. In the presence of concurrency, how- 
ever, the counter may exhibit unexpected behavior. To illustrate this danger, we 
consider the following program, which creates a counter and then increments it 
twice, in parallel. 



{vp){p^ county p.inc p.inc) 

This program is non-deterministic. It may reduce to (yp){p'~^ count 2 p p), as 
expected. Alternatively, if the evaluations of the two calls to inc are interleaved, 
the program may also reduce to {vp){p^ count i f p f p), which is presumably 
not what the programmer intended. Thus the program has a race condition: two 
threads may attempt to update the method val simultaneously, with incorrect 
results. 

We can fix this error by adding appropriate synchronization to the counter: 

sync_count^ = [val = C,{x)n, 

read = C,{x)lock x in x.val, 

inc = C,{x)lock x in let t=x.val + 1 in x.val 

In this synchronized counter, the method val is protected by the lock of the 
counter. This lock should be held whenever the method val is invoked or updated, 
and thus the methods read and inc both acquire that lock. The modified counter 
implementation is race-free and will behave correctly even if used by multiple 
threads, provided those threads access val only through read and inc, or acquire 
the lock before accessing val directly. We revisit this example in later sections. 

3 The Type System 

Race conditions, such as that in countn, are a common bug in concurrent object- 
oriented programs, just as they are in concurrent programs of other kinds. In 
practice, race conditions are often avoided by the same strategy that we employed 
in sync^countn', each mutable component is protected by a lock, and is only 
accessed when that lock is held. In this section, we describe a type system that 
supports this programming discipline. 
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3.1 The Type Language 

The set of types in our system is described by the grammar: 

Types 

A,B ::= [ii : c^{xi)Ai-ri- Si | Proc \ Exp types 

r ::= {ui , . . . , u„} permissions 

s ::= u I + protection annotations 



An object type [it : q{xi)Ai-ri- Si describes an object containing n 

methods labeled Each method k has result type Ai, permission ri, 

and protection annotation Si. The permission is a set of results describing 
the locks that must be held before invoking U. Because the method invocation 
may trigger other operations, we allow to contain more than one lock. The 
protection annotation Si is a result describing the lock that must be held before 
updating Ip, we refer to Sj as the lock that protects k (although additional locks 
may be required for invoking li). In the case where U is never updated, Si may 
alternatively be the symbol ‘+’. Since methods are commonly protected by the 
self lock (that is, the lock of the object itself), the description of each method 
also binds the self variable xp this variable may occur free in Ai, ri, and Si. 

An example type is [I : (^{x)A-0-+], which describes an object containing a 
single method I with result type A. The permission 0 indicates that no locks 
need to be acquired before invoking this method; the protection annotation ‘+’ 
indicates that the method cannot be updated. The type [I : <^{x)A- {x} ■ x] is 
similar, except that it describes an object whose method I can be updated. The 
self lock of the object must be acquired before invoking or updating that method. 
The type [I : <^{x)A- {a;}-a;, I' : <^{x)A- {x,p}-p] mentions an additional method I' 
protected by an external lock p. Since the lock that protects I (the self lock x) 
must be acquired before invoking I', the code for V may update or invoke I 
without any further locking. 

As a slightly more complicated example, a suitable type for the synchronized 
counter sync_count^ described earlier is: 

[val \ !^{x)Int-{x}-x, read : i^{x) Int • 0 • + , inc \ i^{x)[]-0-+] 

This type states that the method val is protected by the self lock, which must 
be acquired before invoking or updating that method. The methods read and 
inc are read-only; they cannot be updated. Furthermore, since these methods 
perform the necessary synchronization internally, no locks need to be held when 
invoking these methods. 

In addition to object types, the type language also includes the types Exp and 
Proc. The type Exp describes all results that may be returned by expressions; 
the type Proc is a supertype of Exp that also covers terms that never return 
results, such as a denomination pi-^ d. 
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3.2 Clean and Defined Names 

In addition to checking that the appropriate locks are held whenever a method 
is invoked or updated, the type system also verifies that each lock is held by at 
most one thread at any time. That is, for each name p, there is at most one term 
of the form locked p in ... in the program. 

Verifying this mutual exclusion property is a little tricky, since any term 
that contains the denomination pi— > [. . .]° can potentially acquire the lock on p 
via the reduction rule (Red Lock). Therefore, we introduce the notion of clean 
names, and we say that p is a clean name of a term if the term includes either 
locked p in . . . or pi-^- [. . .]° in an evaluation context. (The restriction to evalu- 
ation contexts excludes some nonsensical programs.) The set of clean names of 
a term is preserved during evaluation, even though the set of locks held by the 
term may vary. The type system checks that for any parallel composition b, 
the clean names of the subterms a and b are distinct. This check ensures that a 
lock cannot be simultaneously held by two terms executing in parallel. 

The type system also verifies that every name that is introduced is associated 
with a unique denotation. We say that a name is defined by a term if it is 
associated with a denotation in an evaluation context. 



Clean and defined names 



p G clean{a) if a = £[ pi— > 


[. . .]° ] or a = £[ locked p in b] and p ^ bn{E) 


p G defined {a) if a = pi— > 


d ] and p ^ bn{£) 


3.3 Type Rules 




We define the type system using the following six judgments and associated 
rules. In these judgments, an environment if is a sequence of bindings of results 


to types, of the form 0, u\ : 


j4i , . . . , V-n ■ 


Judgments 




"eho 


if is a well-formed environment 


E^ A 


given if, type A is well- formed 


E\- r 


given if, permission r is well-formed 


Eh AcB 


given if, ^ is a subtype of B 


E h r<:r' 


given if, r is a subpermission of r' 


E;r\~a:A 


given E and r, term a has type A 


Type rules 


(Env 0) (Env u) 


(Perm) 



E \- A u ^ dom{E) E \- <> r C dom{E) 



0 h o 



E,u : A\- o 



E\- r 
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(Type Proc) (Type Exp) 

Eho Eho 

E h Proc E h Exp 
(Type Object) distinct) 

E\- o E,Xi:[]\- BiCExp E,Xi: []\- Vi Sj G U {+} Vz G l..rz 

E^[ii-.<;{xi)B,-ri-Si 

(Val Object) (where A= [it : q{xi)Bi-ri- si 
E = Ei,p:A,E2 E\-o E\ri\xi ^ \~ h^Xi ^ ■. Bi\xi ^ 

defined{bi) = clean{bi) = 0 Vz G l..n 

E] 0 \- pi-^[li = q{xi)bi ■ Pj.q(. 

(Val u) (Val Select) 

E,u:A,E'\-o E;0\-u:[£i:q{xi)Bi-ri-Si^^^--^] j G l..zz 

E,u: A, E'] 0 h u : A E; rj^xj ^ zzj- h u.£j : Bj^xj ^ zz§- 

(Val Update) (where A= [£i : q{xi)Bi-n-Si 

E; 0 \- u : A E] rj^xj ^ zzj- h b%xj ^ zzj- : Bj^Xj ^ zzj- Sj + j G l..zz 

defined{b) = clean{b) = 0 

(Val Let) 

E;rl-a:Gl E,x : A;r \- b : B E \~ A<\Exp E b B<:Exp 
defined{b) = clean{b) = 0 
E]r\- let x=a in b : B 



(Val Res) 

E,p : A;r\- a : B E\~ r E\~ B 
p G defined {a) p G clean (a) 

E;r\- {vp)a : B 

(Val Par) 

E; 0 h a : Proc E\r \- b \ B 
defined{a) n defined (b) = 0 clean{a) O clean{b) = 0 
E-,r'ra£b-.B 



(Val Lock) (Val Locked) 

E; 0 h zz : [ ] E; r U {zz} \~ a \ A E] 0 \- p : [] E;rU {p} \~ a : A 
defined (a) = clean{a) = 0 p ^ clean (a) 

E;r\- lock u in a : A E;r\- locked p in a : A 

(Val Subsumption) (Subperm) 

E;r\~a:A E\~A<:B E\~r<:r' E \~ r E \~ r' rCr' 



E-r' ^ a: B 



E h r<:r‘ 
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(Sub Refl) (Sub Trans) (Sub Exp) (Sub Proc) 

Eh A Eh AcB E h BcC Eh A A^ Proc Eh A 

E h AcA E h A<-.C E h AcExp E h AcProc 

(Sub Object) 

Eh[e,:q{x,)B,-r,-Si 

Eh[li-. c,{x,)B,-n-Si : c,(xi)B,-r,- Si *^1-"] 



Many of the rules of the type system are based on corresponding rules in 
Gordon and Hankin’s system, which is in turn based on Abadi and Cardelli’s 
calculi. The novel aspects of our system mainly pertain to locking; they include 
the treatment of permissions and dependent types. 

The core of the system is the set of rules for the judgment E;rha:A (read “a 
is a well- typed expression of type A in typing environment E with permission r” ) . 
Our intent is that, if this judgment holds, then a is race- free and yields results 
of type A, provided the free variables of a are given bindings consistent with the 
typing environment E, and the current thread holds at least the locks in r. 

The type system thus tracks the set of locks that are assumed to be held 
at each program point. The rule (Val Object) checks that each method body is 
race-free under the assumption that the locks described by the method’s permis- 
sion are held. The rule (Val Select) ensures that these locks are held whenever 
the method is invoked. The rule (Val Update) ensures that the lock protecting 
a method is held whenever that method is updated. The rule (Val Lock) for 
lock u in a typechecks a under the assumption that the lock u is held. The rule 
(Val Subsumption) allows for subsumption on both types and permissions: if 
E h r<:r' , then any term that is race-free with permission r is also race-free 
with the superset r' of r. 

The type system provides dependent types, that is, a type may contain a 
result that refers to an object. In some cases, an object can be the referent of 
several results, for example, its self variable and some external name for the 
object. The type rules contain a number of substitutions that support changing 
the result used to refer to a particular object. For example, the rule (Val Select) 
for a method invocation u.£j replaces occurrences of the self variable Xj in the 
type Bj with the result u, since xj and u refer to the same object, and Xj is 
going out of scope. A similar substitution is performed on the permission Vj. 
The rules (Val Object) and (Val Update) rely on analogous substitutions. 

In order to accommodate self-dependent types, where the description of an 
object’s method may refer to the object itself, the rule (Type Object) checks that 
the result type and permission of each method is well-formed in an extended 
environment that contains a binding for the self variable. Because types may 
refer to results, the rules (Val Let) and (Val Res) ensure that a type that is 
lifted outside a result binding is still well- formed. The rule (Val Res) also has a 
similar requirement on permissions. 

The type rules include conditions on the clean and defined names of subterms. 
The rule (Val Par) for at* b requires that the defined names of the subterms a and 
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b be disjoint. Furthermore, the clean names of the subterms must also be disjoint. 
The latter condition implies that the two subterms cannot simultaneously hold 
the same lock. The rule (Val Res) for {vp)a requires that the name p being 
introduced be defined in a, and that the lock associated with p is either unlocked 
or is held by a. The rule (Val Locked) disallows nested acquisitions of the same 
lock. In addition, in order to ensure that the clean and defined names of a term 
are invariant under evaluation, the type rules require that terms not in evaluation 
contexts do not have any clean or defined names. 

The rule (Sub Object) defines the usual subtyping relation on object types 
(appropriately adapted to our type syntax). Since the protection annotation + 
can be considered a variance annotation Q, we could extend the type system 
with a more powerful subtyping rule. This rule would allow the result types and 
permissions of immutable components to behave covariantly. We conjecture that 
the extended system would still be race- free. 

4 Examples 

In this section we show a few applications of our type system in examples. For 
convenience, we use the abbreviation b.i = let x=b in x.t when b is not a result. 

4.1 Counters 

The unsynchronized counter implementation count n described earlier can be 
assigned the type: 

[val \ q{x)Int-{x}-x, read \ C,{x)Int-{x}-+, me : i;(a;)[ ] •{a;}--|-] 

This type states that the method val is protected by the self lock of the object, 
and this self lock must be acquired before invoking the methods read and inc . 

The method val may be considered private to the implementation of the 
counter, and can be dropped via subtyping, yielding: 

[read : i^{x) Int • {x} ■ + , inc : <^(a;)[ ]-{a:}--l-] 

This type describes the public interface to the counter; it states that the self 
lock of the counter must be acquired before invoking the counter’s methods. This 
interface expresses a synchronization protocol that is sufficient to ensure that the 
counter operates correctly. The type system requires that this protocol be obeyed 
by each client of the counter. Programs that do not obey this synchronization 
protocol, such as [vp){p^ county p.inc p.inc), are forbidden. 

4.2 Input Streams 

In some cases, we may wish to provide similar synchronized and unsynchronized 
interfaces to the same object. For example, an input stream may provide both a 
synchronized method read for reading characters from the stream, and a faster 
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but unsynchronized method read' . (The Modula-3 I/O package provides both of 
these methods 

An outline implementation of such an input stream might be: 

instream = [buffer = g(x) . . . , internal data structure 

read' = g(x) ■ ■ ■ buffer • • • , fast, unsynchronized read 

read = g{x)lock x in x.read ] slower, synchronized read 

The method buffer contains some internal data structures of the input stream 
and is protected by the self lock. The method read' assumes that the self lock 
is held, and returns the next input character after some manipulation of buffer. 
The method read does not assume that the self lock is held; it first acquires that 
lock and then dispatches to read' . 

A suitable type for this input stream is: 

[buffer : q{x)Buffer-{x}-x, read' : g{x) Char ■ {x} ■ + , read : g{x) Char ■ 0 ■ +] 

Subtyping then allows us to view an input stream as having either the synchro- 
nized interface [read : g{x) Char ■ 0 ■ +[ or the faster but unsynchronized interface 
[read' : g{x)Char-{x}-+[. 

4.3 Lines and Points 

The examples above describe objects whose components are protected by the 
self lock of the object. In addition, object components can also be protected 
by a lock external to the object. To illustrate this possibility, we consider the 
following example consisting of point and line objects. 

point = [a; = :^(s)0, 

2/ = <;(s)o, 

bmp = g{s)let t=s.x + 1 in s.x <;= <;(s)t] 

line = [start = g{s)pti, 
end = g{s)pt 2 , 

bmp = g(s)lock s in (s.start.bmp; s.end.bmp)] 

A point contains a method bmp that increments the a;-coordinate of the point. 
(An analogous method for y is omitted for brevity.) Each line object includes two 
methods for its end points, start and end, and a method bmp that increments 
the x-coordinate of both end points of the line. This method first acquires the 
self lock of the line, then calls the method bmp of both end points. These points 
do not perform any synchronization internally; their mutable methods x and y 
are protected by the lock of the enclosing line object. Appropriate types for lines 
and points are: 

Point z = [x : g{s)Int-{z}- z, y : g{s)Int-{z}-z, bmp : :;(s)[ ]-{ 2 }--l-] 

Line = [start : g{s)Points-0- + , end : g{s)Points-0-+, bmp : :;(s)[ J-0--I-] 
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where the type Point z describes a point whose mutable methods are protected 
by the lock z. The type Line states that the methods start and end yield points 
whose mutable components are protected by the lock of the enclosing line object. 
Interestingly, the type Line also permits the following line object: 

line' = [start = q(s)pti, 
end = q{s)pt 2 , 

bmp = q{s){lock s in s.start.bmp); (lock s in s.end.bmp)] 

When a thread runs the method bmp of this object, it acquires and releases the 
self lock twice; it does not hold the lock continuously throughout the execution 
of the method. Therefore, another thread may observe line' in an intermediate 
state where start has been updated but end has not. Such an intermediate state 
might violate higher-level invariants, so the interleaving of the two threads might 
be regarded as a higher-level race condition. Our type system does not address 
such errors directly. 

4.4 Encoding Functions as Race-Free Objects 

We encode function abstraction and application in our calculus as follows, much 
as in other object calculi 

Encoding functions 

X{x)b = [new = :;(s)[arg = q(s)s.arg, val = C,{s)let x=s.arg in b]] for s ^ fv{b) 
b{a) = let y=b.new in lock y in {y.arg q{z)a).val for y^z ^ fv{a) 



In the absence of cloning, we need to use a method new to create a fresh object 
with the usual methods arg and val. The self lock is acquired before accessing 
arg and val. Locking is needed for both methods because arg is mutable and val 
invokes arg. 

This translation provides an encoding for the simply-typed call-by-value A- 
calculus; a function of type A ^ B is mapped to an object of type: 

[new : q{s)[arg : :;(s)A-{s}-s, val : :;(s)i?-{s}--|-]-0--|-] 

This translation cannot encode dependent function types, in which the result 
type depends on the argument value. Encoding dependent function types in our 
calculus seems to require an extension, for example allowing the use of terms 
(and not just results) as locks. 

4.5 Other Encodings (Sketches) 

We can translate programs of the imperative object calculus imp:^ Q] into our 
calculus in a straightforward manner, much as Gordon and Hankin. (Since our 
calculus does not include cloning, this translation only works for clone-free pro- 
grams.) Each translated program includes a single global lock, which protects 
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all object components in the program. Since the program is single-threaded, this 
lock needs to be acquired only once, at the start of the program’s execution; 
it is then held throughout the execution, allowing unrestricted invocations and 
updates of object components. 

Gordon and Hankin describe an encoding of the 7r-calculus into their concur- 
rent object calculus. Their encoding is based on an implementation of channels. 
A similar approach works in our setting, but not as neatly. Because the locks 
of our calculus are not semaphores, our implementation of channels uses busy- 
waiting; for example, reading from a channel may involve looping until a value 
is written to that channel by some other thread. 



5 Well-Typed Programs Don’t Have Races 



The fundamental property of the type system is that well-typed programs do 
not have race conditions. We formalize the notion of a race condition as follows. 
A term b reads pi if there exists some £ such that b = £[ pi ] and p ^ bn{£). 
Similarly, a term b writes pi if there exists some £, x, and c such that b = 
£[ pi <;(a;)c ] and p ^ bn{£). A term accesses pi if it either reads or writes 
pi. A term b has an immediate race condition if there exists some ci, C 2 , and 
p.^ such that 5 = £ [ Cl C 2 ] , Cl and C 2 both access p.^, and at least one of those 
accesses is a write. Finally, a term b has a race condition if its evaluation may 
yield a term with an immediate race condition, that is, if there exists a term c 
such that b c and c has an immediate race condition. 

The type system ensures that, in a well-typed program, a thread that ac- 
cesses a method holds the appropriate locks. The following lemma is crucial in 
establishing that property. 

Lemma 1. If E-,r \- b : B and b accesses p.£ then E;0\-p: [I : <;(a;)A-r'-s] 
and s-§a; ^ pj- € clean{b) U r U {-I-}. Furthermore, if the access is a write, then 
s^+. 

Since each lock can be held by at most one term at any time, a well-typed 
program does not have an immediate race condition. 

Lemma 2. If E] 0 \- b : B then b does not have an immediate race condition. 
Furthermore, typing is invariant under reduction. 

Lemma 3. If E;r \~ b : B and b ^ c then E-,r \- c : B. 

Using the previous lemmas, we can prove that well-typed programs do not 
have race conditions. 

Theorem 1. If E] 0 \- b : B then b does not have a race condition. 
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6 Conclusion 

As this paper shows, a simple type system can help detect and avoid some 
synchronization errors in concurrent object-oriented programs. Our type system 
builds on the underlying object constructs: it extends standard object types with 
locking information. Through operational arguments, we establish that well- 
typed programs do not have race conditions. 

A static-analysis technique such as ours is necessarily incomplete. In practice, 
it probably should be complemented with mechanisms for escaping its require- 
ments, that is, with means for asserting that program fragments do not have 
race conditions even when these fragments do not typecheck. Complementarily, 
we are currently investigating type systems more sophisticated and liberal than 
the one presented in this paper. In the context of Java, we are also considering 
implementations of our methods. 
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Appendix: Formal Semantics 

The formal semantics of our calculus closely follows that given by Gordon and 
Hankin. It consists of a group of structural congruence rules (=), which permit 
the rearrangement of terms, and a group of reduction rules (^), which model 
proper computation steps. In addition to the rules listed here, we also use a set 
of rules that imply that = is a congruence relation. 



Structural congruence rules 



(Struct Res £) 
p ^ fn{£) U bn{£) 


(Struct Par £) 
fn{a) n bn{£) = 0 


{i^p)£[ a]=£[ {vp)a ] 


a\^ £[b] = £[ a\^ b] 


Reduction rules 


(Red Let) 


(Red Select) 

d= = jel..n 


let x=p in b ^ b^ 4 


- pS- {p^d)\^ plj {p^d)\^ bjlxj ^ pS- 


(Red Update) 
d=[ti = q{xi)bi 


1 ™ j G l..n d' = [ij = q{x)b, ii = q{xi)bi i6(i-")-U}]™ 



(pi-^d) f {plj <= g(x)b) (pi-i-d')[^p 
(Red Lock) (where [...] = [^i = 



(pi-^ [. . .]°) lock p in a 



(pi-^- [. . .]•) locked p in a 
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(Red Locked) (where [■■■] = [^i = <^{xi)bi 



(pe^ . .]*) locked p in u (pe^- . ,]°) u 

(Red £) (Red Struct) 

a ^ a' a = a' a' ^ b' b' = b 

S[a] ^ S\a' ] a ^ b 
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Abstract. The paper carries out a systematic investigation into the 
axiomatization problem of the asymmetric chi calculus. As a crucial step 
in attacking the problem, an open style bisimilarity is defined for each of 
the eighteen L-bisimilarities and the two are proved to be equal. On top of 
the open bisimilarities, explicit definitions of the eighteen L-congruences 
are given, which suggest immediately possible axioms for the congruence 
relations. In addition to the axioms for strong bisimilarity, the paper 
proposes altogether twenty one additional axioms, three of which being 
the well-known tau laws and the other eighteen being new. These axioms 
help to lift a complete system for the strong bisimilarity to complete 
systems for the eighteen L-congruences. 



1 Introduction 

The X“Calculus is a recent addition to the family of calculi of mobile 

process (Q). It is a process algebraic formalization of reaction graph (Q). The 
latter is proposed to emphasize the graphical aspect of concurrent computational 
objects. The language is a further step towards a more abstract model of con- 
current computation. One of its novel features is a uniform treatment of names. 
Uniformity supports the idea that there should be no difference between input 
and output prefixes. The followings are examples of communication in y: 



(a;)(a[a;] 


.P\a[y].Q\R) 


P[y/x]\Q[y/x]\R[y/x] 


(1) 


(a;)(a[a;] 


.P\a[y].Q\R) 


P[y/x]\Q[y/x]\R[y/x] 


(2) 




(a;)a[a;].P|%].Q 


P[y/x]\Q 


(3) 




{x)a[x].P\a[y].Q 


P[y/x]\Q 


(4) 



Here a[x].P and a[y].Q are processes in prefix form, in which x and y are global. 
In {x){a[x].P\a{y].Q\R) the name x is local as it is restricted by a localization 
operator (a;). In B and B interactions between a[x].P and a[y].Q cause the 
local name x to be replaced by y throughout the term over which the localization 
operator (a;) applies. In B ^.nd B the interactions do not affect Q as it is 
not restricted by (a;). The four reductions should demonstrate the symmetry of 
communications in y-calculus. 

* Supported by NNSFC (69873032) and 863 Hi-Tech Project (863-306-ZT06-02-2). 

Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 304-^^| 1999. 
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If one insists that there should be a difference between positive prefix op- 
eration a[x\ and negative prefix operation a[x] then one obtains an asymmetric 
version of x-calculus. In asymmetric y-calculus, reductions ^ and Q are ad- 
missible whereas reductions and Q are illegal. Asymmetric and polyadic 
versions of y-calculus have been studied by Parrow and Victor in 

The equational theory of mobile processes has attracted a lot of attention. Lin 
has axiomatized successfully some weak congruences on mobile processes (B). 
He concluded that Milner’s three tau laws are enough to lift system for strong 
congruences to system for weak congruences in calculus of mobile processes. So 
far all complete systems for weak congruences on mobile processes are essentially 
of symbolic nature. An alternative is used by Sangiorgi in his study of open 
bisimulation . Compared to symbolic approach, the open approach has the 
virtue of simplicity. Strong open bisimilarity on finite mobile processes can be 
easily axiomatized. Axiomatization of weak open congruence however has not 
been seriously considered. 

In this paper we answer some of the open problems in the theory of mobile 
processes. Our main contributions are as follows: 

— The paper improves our understanding of the asymmetric y-calculus by 
studying open bisimilarities. For each of the eighteen distinct L-bisimilarities, 
we introduce an open bisimilarity that coincides with the L-bisimilarity. 

— Axiomatization for L-congruences on asymmetric y-processes has not been 
considered before. We give in this paper complete systems for all the eighteen 
distinct L-congruences. Our result brings out the importance of the open 
counterparts of L-congruences. 

— In attempts have been made to give complete systems for weak con- 

gruence on polyadic y-processes, and respectively, four L-congruences on 
symmetric y-processes. In this paper it is pointed out that all the proofs es- 
tablishing the claimed completeness are wrong. A way to correct the mistake 
is proposed . 

— As a byproduct, the paper provides a complete system for barbed congruence 
(Q) on asymmetric y-processes. It is demonstrated that bisimulation lattice 
is of great help in obtaining such a system. 

— Axiomatization for weak open congruence on 7r-processes has not been paid 
enough attention. The approach used in this paper can be applied to give 
immediately a complete system for weak open congruence on 7r-processes. 

— The paper refutes the general belief that Milner’s three tau-laws are suffi- 
cient, in calculi of mobile processes, to lift a complete system for a strong 
congruence to a complete system for the corresponding weak congruence. 
This is related to the failure of Hennessy Lemma in such calculi. 

Due to space restriction, most of the proofs are omitted in this extended abstract. 
The proofs given are sketchy. Some of the intermediate lemmas are excluded. A 
much more detailed account can be found in the full paper Q. In the rest of the 
paper we will leave out the adjective in “asymmetric y” . 
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2 Background 

Let Af be the set of names ranged over by small case letters and 77 the set 
{x\x € 7f} of conames. The Greek letter a ranges over For a S AfU AT, 

a is defined as a if a = a and as a if a = a. The y-processes are defined by 
the following abstract grammar: P := 0 | a[x].P \ P\P \ {x)P \ [x=y]P \ P+P- 
Most of the combinators have completely the same reading as those of the tt- 
calculus. The name x in {x)P is local. A name is global in P if it is not local in 
P. For instance the name x in both a[x].P and a[x].P is global. We will write 
gn{P) for the set of global names in P. As this paper is mainly concerned with 
axiomatization of finite y-processes, we have omitted the replication operator. 
The set of y-processes will be denoted by C. The well-known a-convention will 
be adopted. 

Let 6 range over the set {r} U {m[x],rn[x], mx,m{x), [y/x], {y/x\ \ m,x,yG 
A/"} of transition labels and y over {r} U mx,m{x) \ m,x G Af}. In 

{y/x], X and y must be different. A name in S is local if it appears as x in m{x) 
or {x/y}] it is global otherwise. Let ln{6), respectively gn{6), denote the set of 
local, respectively global, names appearing in 6; and let n{6) denote the set of 
names in S. The sets ln{y), gn{y) and n(/i) are defined accordingly. 

The following rules define the operational semantics of y-calculus: 

P ^ : P' P ^ : P' 

a[x].p7Hp [x=x].P^P' p+Q^P' 

PTUP' ln{y) n gn{Q) = 0 
P\qJUp'\Q 

P p/ P P' gn{Q) 

P\Q P'\Q[y/x] P\Q P'\Q[y/x] 
pm^p, Q^Q! pP^p! Q' gn{P) 

Pig^P'ig' P\Q ^ {x){P'\Q') 

P^P' p^p> Q^Q' y^gnjP) 

P\Q P'[y/x]\Q'[ylx] P\Q P'[ylx]\Q'[ylx] 

P^P' x^n{5) pT^P' x^m x^m 

{x)P ^ {x)P' {x)P 7% P'[y/x] {x)P P' 

p pf ^ ^ y P P' X ^ y p fa/fl pf p pr 

{x)P P' {y)P P' {x)P {y)P' {x)P {x)P^ 

The semantics is different from the one in Here m[a:].P|m[a;].g P\Q 

but not m[a;].P|m[a;].g P|g. In [x/x] is identified with r; here they 

are different. 
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zero or a finite number of times. It follows from definition that For 

simplification will be abbreviated to An atomic substitution of y 



for X is denoted by [y/x]. A general substitution a is the composition of atomic 

def 

substitutions, whose effect on a process P is defined by P[yi/xi] . . . [yn/xri\ = 
{P[yi/xi] . . . [yn-i/ Xn-i])[yn/ x„\. The composition of zero atomic substitution 
is an empty substitution [] whose effect on a process is vacuous. A sequence of 
names X\, . . .,Xn will be abbreviated as x] and consequently (a;i) . . . {Xn)P will 
be abbreviated to {x)P. When the length of x is zero, {x)P is just P. 

In the rest of the paper M and IV, and their indexed forms, denote fi- 
nite lists of equalities x=y. Let M be xi=yi, . . . , Xn=yn- Then [M]P denotes 
[xi=yi] ■ ■ ■ [xn=yn]P- If M logically implies N, we write M => N; and if both 
M => N and N => M vje write M iV. If M is an empty list, it plays the 
role of logical truth, in which case \M]P is just P. Clearly a list M of match 
equalities defines an equivalence relation on the set n{M) of names appearing 
in M . We use um to denote an arbitrary substitution that sends all members 
of an equivalence class to a representative of that class and sends a name not 
in n{M) to itself. For a finite number of processes Pi, i G I, we write -Fi 
for Pi -I- ... -I- P„. We have leave out the parentheses in Pi -|- ... -I- Pn as -I- is 
associative both semantically and proof theoretically. 

In order to axiomatize the congruence relations of this paper, we need to 
internalize, as it were, the labels of the transition system. In the following def- 
inition a is fresh: a{x).P (a;)Q:[a;].P, where x ^ {a, a}; r.P (a)[a/a].P; 
[y/x].P (a)(a[y]|a[a;].P); {y/x].P {y)[y/x].P, where x ^ y. The prefix 

\y/x\, first introduced in is called an update. It is clear from definition 

that both X and y in \y/x].P are global. On the other hand the y in the restricted 
update {y/x].P is local. 

We state below some technical results to be used in the rest of the paper. 
The proofs of which are simple inductions on derivation. 

Lemma 1. Let n{a) denote the names appearing in the substitution a. 



(i) If n{a) n ln{pL) = 0 and P P' then Per P' a. 




(Hi) If y ^ P P' then Pa P'a[y/xa]. 



Lemma 2. If{x)P 
P', or, for yi,...,yn, n \ 




P' and X = y, or P 

( yn/|/ n-l] (y/V n] , 

'' V-r, '' V ^ ’ 




We refer the reader to for more on the semantics of y-calculus. 
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3 Bisimulation Lattice 

Bisimulation equalities are the finest equivalence relation on processes. For a 
particular process calculus, there is not just one weak bisimulation equality but 
a whole range of them. These equalities differ in the extent actions are admitted. 
In practice one uses one bisimulation equality in preference to others because 
the processes one is interested in are capable of performing only certain kinds of 
actions. 

We will define a class of bisimulation equalities on y-processes induced by 
different sets of admissible actions. For that purpose, we introduce the following 
notations. Let fo denote the set {a[a;] \ a, x £ Af} of free outputs, fi the set 
{a [a;] | x G Af} of free inputs, i the set {aa; | a; G Af} of inputs, ro the set 
{a(a;) | a, a; G Af} of restricted outputs, u the set {[y/x] | a;, y G N} of updates 
and ru the set {{y/x] | a;,y G Af} of restricted updates. Define £ as {US' | S C 
i/o, fi, i, ro, u, rw} A S yf 0}. 

Contexts are certain processes with a hole. They are inductively defined as 
follows: (i) [] is a context; (ii) if C[] is a context then C[]|P, F’|C[], (a;)C'[] and 
a[a:].C[] are contexts. A binary relation 7^ on C is closed under context if PTZQ 
implies C[P\1ZC[Q] for every context C[]. It is closed under substitution if PTZQ 
implies PaTZQa for every substitution a. 

Definition 3. Let TZ he a binary symmetrie relation on C and L be an element 
of £. The relation TZ is an L-relation if whenever PTZQ and P — ^ P' , for 

(j) G LLi jr}, then some Q' exists such that Q Q'TZP' . An open L-relation 
is an L-relation that is closed under substitution. An L-bisimulation is an L- 
relation that is closed under context. The L-hisimilarity, notation is the 
largest L-bisimulation. 

According to Definition^ P is L-bisimilar to Q if an admissible action </> of P, 
that is (/) G L, can be simulated by the same action from Q up to tau actions 
and vice versa. Closedness under context guarantees that L-bisimilarity is stable 
with respect to all but the summation operation. 

Theorem 4. Lf a is a substitution, L G £, P Q and O € C then (i) 
a[x].P a[x].Q; (ii) P\0 Q\0; (Hi) {x)P {x)Q; (iv) [x=y]P 

[x=y]Q; (v) Pa Qcr. 

There are altogether 63 L-bisimilarities. Not all of them are distinct. The 
next theorem reveals the full picture of the order relationship among them. 

Theorem 5. Suppose L,L\,L 2 G £. Then the following properties hold: 

(i) and if L ^ i then the inclusion is strict. 

(ii) ~Li if either (/in Li = 0) A (/i C L 2 ) or (run Li = 0) A {ru C L 2 ) or 
{{ru U ro) n Li = 0) A (ro C L 2 ) or (u n Li = 0) A (u C L 2 ) or {{u U fo) n Li = 
0 )A(/oCL2). 

(Hi) and Both inclusions are strict. 
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Fig. 1. The Bisimulation Lattice of Chi Calculus 



It follows from TheoremHthat there are altogether 18 distinct L-bisimilarities. 
These are described in Figure B In the diagram an arrow indicates a strict 
inclusion. Each labeled node is the principal representative of a number of L- 
bisimilarities that coincide. For instance, the node labeled by «roUruuiu/i is 
the principal representative of the equivalence class {~l| ru U /z C L C ro U 
ru U z U /z and L S £}. The order structure induced by the arrow relation is 
called the bisimulation lattice of y-calculus. Due to space limitation we will be 
concentrating on ~roUrttuiu/iu/ou« and ~roUruuiu/iu/o in this paper. Extensive 
studies of the other sixteen can be found in the full paper. 

The proof of Theorem's sketched in . In this paper we give some examples 
to support the inequality claimed in the theorem. These examples are far more 
general than the ones in Q in the sense that they are axiom generating. 
Suppose X ^ y and L C /z = 0. Then 

'm{y).{P + [y/x\.Q) ^fi m{y).{P+ [y/x].Q] + m[x].Q[x/y] (5) 

miy).{P +[y/x].Q) m{y).{P + [y/x].Q) + m[x].Q[x/y] (6) 

Now Q is obvious whereas Q is slightly more subtle. None of the actions con- 
fined in L can tell the two processes apart. The reduction {m{y).{P+ [y/x\.Q) + 

[z/x] 

m[x\.Q[x / y\)\rri{z\ — > Q[z/y\[z/x\, for instance, is matched up by m{y).{P + 

[y/x].Q)\rn{z] [z/x].Q[z/y] Q[z/y][z/x\. 

Suppose Q cannot perform any restricted updates up to tau actions. Then 



{y/x\.Q -k T.Q[x/y\ T.Q[x/y\ (7) 

(y/x].(P+ (z/y].Q) (y/x].(P + (z/y].Q) + {zlx\.Q\zly\ (8) 

{ylx\.QPT.Q\xjy\ T.Q[x/y\ (9) 

{y/x\.{P + {zly\.Q) {y/x].{P + {z/y\.Q) + {z/x\.Q[zly\ (10) 
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when L n ru = 0. Both Q and ^ are obvious. Intuitively Q holds because if 
the admissible actions are confined in L then the first action of {y/x].Q is not 
fireable. For it to be activated the global name x must be localized in a context. 
But then the action invoked by (y/x\ amounts to substituting the local y for the 
local X, the side effect being the same as that of applying the a-conversion. For 
similar reason holds because replacing x by the local z in Q[z/y] results in 
the same process as the one obtained by first substituting the local y for a; in Q 
and then substituting the local z for y. 

If Q can perform a restricted output action not matched up by P then 

Hx).{p + {y/x].Q) ^ro a{x).{P+ {y / x] .Q) + a{y) .Q[y / x] (II) 

Hx).{P + {y/x].Q) ^x).{P + {y/x].Q) + a{y).Q[y/x] (12) 

when Ln(ruUro) = 0. The inequality 1^9 holds because a{y) .Q[y / x] can perform 
two consecutive restricted output actions not matchable by a(a;).(P+ (y/x].Q). 
The equality ^3 holds as a{y) .Q[y / x] can only be involved in a communication 
when restricted output and restricted update actions are banned. 

Suppose L n u = 0 and x ^ y. Let A be [a;/a;].(Pi + [y/x\.Q) and B be 
[y/y]-{.P 2 + [y/x].Q). Then 

A + B^i^A + B+[y/x\.Q (13) 

A-\- B Kiij A-\- B \y/x\.Q (14) 

The inequality is obvious. To understand ^3 notice that if updates are 
banned then the component [y/x\.Q can be initiated when at least one of x and 
y is localized. If x is localized then [x / x].{Pi+[y / x\.Q) can simulate [y/x\.Q and 
if y is localized then it is for [y/y].{P 2 + [y/x].Q) to do the job. 

Suppose C is [x/x\.{Pi + a[x\.Q[x/y\) and D is [y/y].{P 2 + [x/y\.Q). Then 

C + a{y).{P + D) ^fo C + a{y).{P + D) + a[x].Q[x/y] (15) 

C + a{y).{P + D) C + a{y).{P + D) + a[x\.Q[x/y\ (16) 

when L n (u U fo) = 0. Now is clear. Justification of is as follows: 
If the component a[x\.Q[x/y] induces a restricted output (update) action, then 
[x / x\.{Pi + a[x\.Q[x / y\) can simulate the action by performing first a tau action 
and then a restricted output (update). For example 

a[z]\{x){C + a{y).{P + D) + a[x].Q[x/y\) Q\Q[x / y][x / z] 

is simulated by a[z]\{x){C +a{y).{P + D)) a[z]\{x){Pi + a[x].Q[xly\) 

Q\Q[x / y][x / z\. If the component a[x\.Q[x/y] is involved in a communication as 
in {z)a[z\.R\{C + a{y).{P + D) + a[x\.Q[x/y\) R[x/ z]\Q[x/y\. Then a{y).{P + 

[y/y].{P 2 + [x/y].Q)) will put itself into action. The simulating sequence is: 

{z)a[z\.R\{C + a{y).{P + D)) {y){R[y / z\\{P + [y/y\-{P 2 + [x/y\.Q))) 

^{y){R[y/z]\{P 2 + [x/y\.Q)) 

R[x/z\\Q[x/y\. 

The reader is advised to play with these examples before moving on. 



Open Bisimulations on Chi Processes 



311 



4 Open Bisimilarities 



The idea of open bisimilarity (|3) order to show P and Q to be 

bisimilar, all one needs to consider are substitution instances of the pair. As a 
process contains only a finite number of names, it is usually enough to consider 
only a finite number of substitution instances. This is the basic reason for the 
effectiveness of open bisimilarity. The adjective “open” refers to the fact that in 
this approach the global names appearing in a process are treated very much 
like the free variables in, say, an open A-term. 

In this section we will define, for each L S £, an open bisimilarity that 
coincides with the L-bisimilarity. The proofs of coincidence not only support our 
definitions of open bisimulations for x-pi'ocesses but also reveals much deeper 
properties of L-bisimilarities from the technical point of view. 



Definition 6. (i) An open roU ruU iU fi U foU u-hisimulation is the same as 
an open roU ruU iU fi U foU u-relation. 

(ii) An open ro U ru U z U /z U fo-relation TZ is an open ro U rzz U z U /z U fo- 
bisimulation if the following properties hold for P and Q whenever PTZQ: 



— If P P' then Q' exists such that either Q^^xQ'TZP' or some yi, . . . , 



n >1, exist such that Q 
If P — 



(yi/d (Wyi] ivn/yn-i] . ^/r / -iti r>f 

; r y 2 ‘ ‘ ‘ r ^ and Cj yX f yxillZP . 

P' , where x ^ y, then Q' exists such that either Q Q'lZP' or 
both of the following properties hold: 

• either Q Q'lZP' or some yi, . . . , y„, for n > 1, exist such that 

(y\/A(y2lyi] { y7i/y n-i][y/yn] 



Q 



yi — ’'y2 ' ' ' — ^ Q > 

• either Q Q'lZP' or some Q" , zi, . . . , Zm, for m> 1, exist such 

that Q''[y/zm]nP' and Q Q". 

For each L G C, the open L -bisimilarity is the largest open L -bisimulation. 



The above definition is not easy to digest. For motivations, the reader should 
check up the examples given in the previous section against the definition. 

Theorem 7. Suppose L G L. Then coincides with 



Proof. First we show that Let a be fresh throughout the proof. 

(i) It follows from Definition 0 and Theoremjthat ^rouruuiufiufouu is an 
open ro U rzz U z U /z U /o U zz-bisimulation. 

(ii) Suppose P ^rouruuiufiufo Q and P P' . Then (a;)(P|a[a;]) ^ 

P'\Q must be matched up by (a;)(Q|a[a;]) Q'\0 for some Q' such that 

P' ^rouruuiufiufo Q' ■ Using LemmaH one derives that either Qa =>x Q'lZP' 



or some yi , . . . , y„, for zz > 1, exist such that Qa 



bnJA {V2 

■^yi'- 



(Wyi] ( yn/y n-i] 
— ■ ■ ■ — '’yn b: 



and Q'[x/yn]IZP'. 

If P P' and X ^ y, then (a;)(P|a[a;]) UA P'|a[y]. To match up the 
reduction, there must exist some Q' such that (a;)(Q|a[a;]) Q'\a[y]. According 
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to Lemma| 

v rt rv o' rt 

r , or ,'x - — ^ ^ ~roUruUzU/ 2 U/o j 01 



roUrnUzU/iU/o 

( yn/V n-l][y/yn] 



there are only three possibilities: either Q Q' 

{v\! A ivi-ly i] 

= '’yi ■ ' ’'Vn 

Q' ~roUruuiu/iu/o P' for some 2 / 1 , ... , Un, n > 1 . If the first case is not possible, 
there must also exist some Q" such that {y){Q\a[x]) Q"\a[y] matches up 

{y){P\a[x]) P'\a[y]. Clearly (?/)((5|a[a:]) Q"\a[y] can be factorized as 



{y){Q\a[x\) {z){Qi\a[x]) = {y){Qi[y/ z]\a[x\) 

LemmaH either Qa Q'TZP' or some Q", zi, 

such that Q”[y/ Zm]PP' and Qa =>y=^^l=^z 2 ■ ■ 
that Qa Q'TZP' is impossible by assumption. 



Q2\a[y\ 

. . . , Zm^ for m > 1 , exist 

m / ^m — l\ \_^m / 



Q"\a[y\. By 
u > 1 , exist 
Q" . Notice 



The inclusion r: 
an L-bisimulation. 



^CKiL amounts to showing that, for each L £ £, 



IS 



With the help of the above theorem we can now define L-congruences by 
exploiting the explicit requirement in the definition of open L-bisimilarities. 

Definition 8. Two processes P and Q are L-congruent, written P =l Q, if 
P ~open Q every substitution a and every cj) G ru Li uU {t}, Pa P' 

must be matched up by a nonempty sequence of aetions from Q and vice versa. 

So for instance, if P =roUruuiufiufo Q then it should not be the case that the 
only way Q can simulate P P' is by the vacuous action Q Q. 



5 Prefix Laws 

Let AS be the system given in Figure H plus the equivalence rules, the con- 
gruence rules and the following expansion law, in which tt and 7 range over 
{r} U {a[a;], [y/x] \x,yG TV}: 



TTi—ai [xi] 

P\Q = Y^[Mi]{x)7ri.{Pi\Q) + [Mi][Nj]{x){y)[ai=bj][yj/xi].{Pi\Qj) 

TTj —'ai[xi\ 

7j=6jfe] 

where P is Y.i^j[Mi\{x)TTi.Pi, Q is I]jgj[TVj](y) 7 j.Qj and {x} n {y| = 0. The 
second component in the right hand of the above equality captures the idea that 
whenever tt^ is of the form ai[xi] for some i G I and "fj is of the form bj[yj] for 
some j G J then there is a summand [Mi][Nj]{x){y)[ai=bj][yj / Xi].{Pi\Qj) . 

We will write AS U {i?i, . . . , i?„| h P = Q to mean that the equality P = Q 
is derivable from the axioms and rules of ^5 together with axioms and rules 
Ri, . . . , Rn- When no confusion arises, we simply write P = Q. We will also 
write P = Q to indicate that R is the major axiom applied to derive P = Q. 
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LI 


(x)0 = 0 




L2 


{x)a[y].P = 0 


X G (a, a} 


L3 


{x)a[y].P = a[y].{x)P 


X ^ {y,a,a} 


L4 


{x){y)P = {y){x)P 




L5 


{x)[y=z\P = [y=z]{x)P 


X ^ {y,z} 


L6 


{x){P+Q) = {x)P+{x)Q 




L7 


{x)[x=y\P = 0 




L8 


{x)[y/x].P = T.P[y/x] 




L9 


{x)[y/z].P = \y/z].{x)P 


X ^ {y,z} 


LIO 


{x)t.P = T.(x)P 




Ml 


[M]P = [A]P 


A 


M2 


\x=y]P = \x=y\P[y/x] 




M3 


\x=y]{P+Q) = [x=y]P+[x=y]Q 




SI 


P+0 = P 




S2 


P +Q Q-\-P 




S3 


P+(Q+P) = (P+Q)+P 




S4 


[x=y\P+P = P 




U1 


\y/x\.P = \y/x\.\x=y]P 




MDl 


[x=y].0 = 0 


derivable from SI and S4 


MD2 


[x=x].P — P 


derivable from Ml 


MD3 


[M]P= [M](Pr7M) 


derivable from M2 


SDl 


p+p = p 


derivable from MD2 and S4 


SD2 


[M]P+P = P 


derivable from S-rules 


UDl 


\y/x\.P = \y/x\.P\y/x] 


derivable from U1 and M2 



Fig. 2. Axioms for Strong Bisimilarity on Chi Processes 



In AS” every process P can be converted to a normal form process of the 
following shape: + 

[Mi]{y/xi].Pi + J 2 ieh [Mi]T.Pi, in which neither x nor y appears global in 
P and Pi is in normal form for each i G /i U /2 U /a U /4 U /s. Here /i, I 2 , I 3 , I 4 
and I 3 are pairwise disjoint finite indexing sets. 

AS is sound and complete for strong bisimilarity whose definition we omit, 
but see In order to lift AS to complete systems for L-congruences, we 
propose 17 axioms as given in Figure H We call them prefix laws as they are 
mainly dealing with prefix combinators. The first three are the well-known tau 
laws. We have seen axioms P4 and P14 in Q. The other twelve axioms are new. 
In what follows, ASr denotes AS U {PI, P2, P3}. 

6 Saturation Property 

In the standard proof of completeness theorem for weak congruence on finite CCS 
processes, one verifies first that every normal form process is provably equal to 
a saturated normal form process using the three tau laws. Recall that a process 
P is saturated if , for every a, P P' whenever P P' . Now if P and 
Q are weakly congruent saturated normal form processes and P — > P' then 
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PI 5.T.P = 5.P 

P2 P + T.P = T.P 

P3 S.{P + t.Q) = 6.{P + t.Q) + 6.Q 

P4 a{y).{P + \y/x\.Q) = a{y).{P + \y/x\.Q) + a[x\.Q[x/y] 

P5 {y/x].P + T.P[x/y\ = T.P[x/y\ 

P6 {y/x].{P + {z/y].Q) = {y/x].{p + {z/y].Q) + {z/x].Q[z/y] 

P7 a{x).{P + {y/x].Q) = a{x).{P + {y/x].Q) + a{y).Q[y/x] 

P8 A + B — A + B + [y/x].Q 

P9 C + a{y).{P + D) = C + a{y).{P + D) +a[x].Q[x/y] 

PIO E + a{y).{P + F)^E + a{y).{P + E) + a[x].Q[xly] 

Pll G + a{y).{P + E) = G + a{y).{P + E) + a[x].Q[x/y] 

P12 {y/x].{P + [z/y].Q) = {y/x].{P + \z/y\.Q) + [z/x].Q[z/y] 

P13 {y/x].{P + a[y].Q) = {y/x].{P + a[y].Q) + a[x].Q[x/y] 

P14 a{x).{P + [y/x].Q) = a{x).{P + [y/x].Q) + a[y\.Q[y/x] 

P15 {y/x].P + [x/x].P[x/y] = \x/x].P[x/y] 

P16 {y/x].P + [x/x].P[x/y] = {y/x].P 

P17 [x/a;].P + r.P = r.P 



In P8, A = [x/x\.(Pi + [y/x].Q) and B = [y/y].{P 2 + [y/x\.Q). 

In P9, G = [x/x\.{Pi + a[x].Q[x/y\) and D = [y/y].{P 2 + [x/y].Q). 
In PIO, E = [x/x].{Pi + a[x].Q[x/y\) and E = [y/y\-{P 2 + \y/x].Q). 
In Pll, G = [x/x].{Pi + a{y).{Qi + [x/x].{Q 2 + [y/x].Q))) and 
F = [y/y\-{Pi + [y/x].Q). 



Fig. 3. The Prefix Laws 



Q ==^ Q' for some Q' such that Q' « P', where « denotes weak bisimilarity. 
By saturation, Q Q' and therefore a.Q' is a summand of Q. If, and this is a 
nontrivial if, we can deduce by induction hypothesis that a.P' is provably equal 
to a.Q', then we can conclude that every summand of P is provably equal to a 
summand of Q, and vice versa. This gives us the required completeness. 

If one is focusing only on completeness proof, then the notion of saturated 
process is a distraction. All one really needs is the following saturation property: 

If P P' for normal form P, then P and P + a.P' are provably equal. 

This is the first of the two crucial properties a completeness proof rests upon. An- 
other one is to be discussed in next section. These properties suffice to establish 
the following absorption property: 

If two normal form processes P and Q are congruent then P + Q is 
provably equal to P. 

Of course, under the same assumption, P-l-Q is also provably equal to Q. Hence 
the completeness. 

In y-calculus, a basic saturation lemma would say that P and P + 6. P' are 
provably equal whenever P P' for normal form process P. But this is far 
from sufficient. Suppose P =roUruuiufiufo Q for normal form processes P and Q. 
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Suppose further that [z/xJ.P' is a summand of P. Then some Q' must exist such 
that either P ^rouruuiufiufo Q and Q V x Q t)r P ’^rouruuiufiufo Q 



and some yi, . . . , j/n, for n > 1, exist such that Q =^x=^yi^^% • • • 

Q' . In the former case we have, by the basic saturation lemma, that Q is provably 
equal to Q + \x/x\.Q' . In the latter case we would also like to say the same. But 
it no longer follows from the basic saturation lemma. Extra axiom are necessary 
to derive the equality Q = Q + [x / x\.Q' . 



Lemma 9. Suppose Q is in normal form. Then the following properties hold: 

(1) If Qctm Q' then ASr \~ Q — Q + [M]t.Q' . 

(2) If QaM ^ Q' then ASr ^ Q = Q + [M]a[x].Q'. 

(3) If z ^ gn{Q) U n(M) and Qum Q' then ASr b Q = Q + [M]a{z).Q'. 

(4) If z ^ gn{Q) Un{M) and QaM Q' then ASr b Q = Q + [M]a{z).Q'. 

(5) If QaM Q' then ASr Q = Q + [M][y/x].Q'. 

(6) If y ^ gn{Q) U n{M) and QaM Q' then ASr Q = Q + [M]{y/x].Q'. 

(7) If QaM =^x Q' or QaM Q' then ASr U {P8,P17} \- Q = Q + 
[M] \x/x].Q'. 

(8) If QaM Q' then Q = Q + [M][x/x].Q'[x/y„] is 

provable in the system ASr U {P8, P16, P17}. 

Proof (8) Suppose QaM =^x Qi Q2---Q2n~i Q^^ Q' ■ 

Now X ^ Q2, X ^ Qs; x,yi ^ Q4, x,yi ^ Q5; . . .; x, yi, . . . , y„_2 ^ Q2n-2, 
a;,yi, . . .,y„_2 ^ Q2n-i\ x,yi , . . .,yn-i ^ Q2«, x,yi , . . .,yn-i ^ Q' ■ Therefore 

<32i-2[a:/yi-l] Q2i-l[x / yi-l] Q21, for 2 < i < 71, and Q2n[x/yn] =^x 

Q'\x/yn\ by LemmaH With these observations one obtains the following infer- 
ence, assuming QaM =^x Qi is not vacuous: 



Q = Q-h [M][a;/a;].(Qi-h (yi/a;].Q2) 

Q+ [M][x/x].{Qi + {yi/x].Q2 + [a;/a;].Q2[a;/yi]) 

= Q + [M]{[x/x].{Qi + {yi/x\.Q2 + [a;/a;].Q2[a;/yi]) + [a;/a:].Q2[a;/yi]) 
= Q -I- [M][a;/a;].Q2[a;/yi] 



= Q +[M][x/x].Q'[x/yn] 

where the first equality holds by (6) and (7) of this lemma; the third equality is 
a consequence of P8. If QaM =^x Qi is vacuous then 

Q = Q + [M](yi/a;].Q2 

Q+ [M]((yi/a;].Q2 + [a:/a:].Q2[a:/yi]) 

= Q +[M][x/x].Q2[x/yi]. 



So the previous inference is valid anyway. 



□ 
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P?1 T.P = T.{P + l2.^^[Mi]T.P) 

Pr2 r.P = r.{P + [M,]r.P + J2i^,JMi]{w/xi].P) 

Pr3 r.P = r.(P + S.^^JM,]r.P + ^.^^JMJ[x,/x,].P) 

Pr4 r.P = r.(P + [Mj]r.P + E.gi, 

In the above axioms, w is fresh, 7, 7i, I 2 , I 3 are finite indexing sets. 



Fig. 4. The Promotion Axioms 



7 Promotion Property 

In the proof of completeness theorem for weak congruence in CCS, the following 
result, due to Hennessy, plays a crucial role: 

If P « Q then either r.P = Q or P = Q or P = t.Q. 

Here « is the weak bisimilarity and = is the congruence induced by «. In the 
proof of the completeness theorem by induction, Hennessy Lemma helps to lift 
P ^ Q to either r.P = Q or P = Q or P = t.Q, thus allowing the induction 
hypothesis to apply. In 7r-calculus however Hennessy Lemma does not hold! For 
a counter example, consider the following three propositions 

T.(ax + [x=y]T.ay) = ax 
ax + [x=y]T.ay = ax 
ax + [x=y]T.ay = r.ax 

None of them holds although ax+ [x=y]r.ay « Tlx is true. This example explains 
the reason why nobody has given a proof that Sangiorgi’s system (Q) together 
with Milner’s tau laws constitute a complete system for weak open congruence. 
We believe that the resulting system is not capable of establishing the equality 
T.{ax + [x=y]T.ay) = r.ax. 

The purpose of this section is to present our solution. The motivation comes 
from a careful examination of the role of Hennessy Lemma in CCS. What it 
really comes down to is the following promotion property: 

If P « Q for normal form processes P and Q then t.P = t.Q is provable. 

Motivated by this observation, we introduce four additional axioms as given in 
Figure J In the presence of a suitable set of prefix laws, these four axioms are 
capable of lifting AS to a complete system for an P-congruence. For this reason 
we call them promotion axioms. Clearly both Pr2 and Pr3 subsume Prl and are 
subsumed by Pr4. 

Theorem 10. Suppose P and Q are in normal form. 

(i) If P ^rouruuiufiufouu Q then AS.[. U {Prl} F T.P — t.Q. 

(a) If P ^rouruuiufiufo Q then ASr u {P8, P16, P17, Pr3} h r.P = t.Q. 
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Proof. We prove (ii) only. Suppose P ^roumuiufiufo Q for normal form pro- 
cesses P and Q. The proof is carried out by induction on the sum of the depths 
of P and Q. Let P be of the form + Sie/s + 

SiG/3 [Mi] [yi/ Xi].Pi + + EiG/5 [Mi]T.Pi and Q be of the form 

Xj\.Qj + '^j^j^[Nj\T.Qj. 

Suppose, for i G I 3 , yiUMi = XiCfMi and {\Mi][yi/xi].Pi)(TMi ^ 
Pi<XMi can only be matched up vacuously by Qaui- Then ylS’i-UlPS, P16, P17} h 
T.PiCfMi = T.QaMi by induction hypothesis. It follows that 



ASr u {P8,P16,P17} h [Mi\[y,/Xi\.p, = [Mi\[x,/xi\.Q. 



Suppose, for some i G I 3 , yiUMi xiaMi- Using LemmaHand axiom P8, 
one can show that ASr U {P8, P16, P17} h [Mi][yi/xi].Pi + Q = Q. 

Similarly one shows that some /' C exists such that the equality = 

[MJr.Q is provable in ASr U {P8,P16,P17} for each i G I' and that ASr U 
{P8, P16, P17} h [Mi]r.Pi + Q = Qfor each iG h\ /'■ 

It is also clear that U {P8,P16,P17} h [Mi]ai[xi].Pi + Q = Q, respec- 
tively ASr u {P8, P16, P17} h [Mi]ai{x).Pi + Q = Q, ASrU {PS, P16, P17} h 
[Mi\ly/xi].Pi + Q = Q, if [Mi]ai[xi].Pi, respectively [Mi]ai{x).Pi, [Mi]{y/xi].Pi, 
is a summand of P. 

We can now conclude that P -I- Q = Q -I- + P^i&i[Mi][xi/xi].Q 

is provable in the system ASr U {P8,P16,P17} for some I C and /' C 1^. 
Now t.Q = t.{Q + Si^i'[Mi]T.Q + Ei^i[Mi][xi/xi].Q) by Pr3. It follows that 
ASr u {P8, P16, P17, Pr3} G t.{P + Q) = t.Q. 

Symmetrically ASr U {P8, P16, P17, Pr3} h t.{P + Q) = t.P. Therefore 
^S'^U{P8,P16,P17,Pr3}l-r.P = r.Q. □ 



8 Completeness Theorem 

Having done all the preparations, we finally come to the completeness theorem. 
Its proof is so similar to the proof of the promotion lemma reported in the 
previous section as to render any reiteration redundant. 

Theorem 11. (i) ASr U {Prl} is sound and complete for =rouruuiu fiu fouu ■ 
(ii) ASr U {P8, P16, P17, Pr3} is sound and complete for =rouruuiufiufo- 

Proof. Let’s see how (ii) is proved. The soundness is easy. Suppose both P and 
Q are in normal form and P =roUruuiufiufo Q- Using (ii) of Theorem^] and 
its proof, one concludes that P + Q = Q + U^g// [MiJr.Q + Ei^j[Mi][xi/xi].Q 
is provable in the system ASr U {P8,P16,P17} for some I C I 3 and P C I 3 . 
But Q must be able to simulate a first move of P by a nonempty sequence of 
moves. This implies that both I and /' are empty. It follows that P + Q = Q 
is provable in ASr U {P8, P16, P17, Pr3}. Similarly P -|- Q = P is provable in 
ASr u {P8, P16, P17, Pr3}. Hence ASr U {P8, P16, P17, Pr3} G P^Q. □ 
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Congruence 


Axioms in Addition to AS U {PI, P2, P3} 
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Fig. 5. Summary of the 18 Completeness Systems 



9 Concluding Remarks 

The work reported in this paper consists of two parts. The first part is a contin- 
uation of the study of L-bisimilarities on asymmetric x~processes initiated in Q. 
The result of this investigation is a finer description of L-bisimilarities in terms 
of open L-bisimilarities. This alternative view leads immediately to the explicit 
definition of the largest congruence relation, the L-congruence, contained in an 
L-bisimilarity. Building upon the first part, the second part explains a stream- 
lined approach to derive complete systems for L-congruences. In addition to the 
axioms and rules for strong bisimilarity, 21 axioms are proposed. It is shown that 
these are enough to lift a complete system for the strong bisimilarity to complete 
systems for L-congruences. Due to space restriction, the paper discusses only two 
L-bisimilarities. The definitions of the other sixteen open L-bisimilarities fit into 
the pattern of Definition H Most of them are even more complex. It should 
be emphasized that these definitions are not simply a matter of putting things 
together. In Figure tti® 18 complete systems for L-congruences are given. 

It can be easily shown that the top element of the bisimulation lattice coin- 
cides with the barbed bisimilarity on the y-processes. So we have in fact given a 
complete system for the barbed congruence. It is surprising that axiomatization 
of the barbed congruence is almost as difficult as axiomatization of all the 18 
L-congruences. This points out the importance of the bisimulation lattice. Even 
if we do not care much about most of the L-congruences, we are forced to pay 
attention to them. The author certainly could not have discovered the axioms for 
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barbed congruence had he not discovered the bisimulation lattice of x-calculus. 
As a digression, we remark that barbed bisimilarity, which we believe is a very 
sensible equality, is usually much weaker than the ‘traditional bisimilarity’ we 
have in mind. The coincidence, as might be the case in 7r-calculus with binary 
choice operator, is an exception rather than the rule. 

The mistake made in is caused by the false assumption that Hennessy 
Lemma held in calculi of mobile processes. The result of this paper indicates 
that none of the systems given in is likely to be complete for the intended 

congruence. It is apparent from our work that Sangiorgi’s system for strong open 
congruence on 7r-processes can be extended to a complete system for weak open 
congruence on 7r-processes by adding the tau laws and the promotion axiom PiT. 

Among the 17 prefix laws, P8, P9, PIO and Pll are most unusual. They share 
structural similarity that is quite different from the structures of the three tau 
laws shared by the rest of the laws. We leave for future study the question of if 
these laws can be simplified. The rest of the prefix laws are quite satisfactory. 

The promotion axioms are very interesting. It is worth investigating the pos- 
sibility of simplifying them. 

Finally we remark that the prefix laws are not independent. For instance P6 
is subsumed by P7 in the system AS. This however does not mean that P6 is 
redundant. It is used for example in the complete system of =rouiu/iu/oUu for 
which P7 is too strong. 
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Abstract. In order to study control problems for hybrid systems, we 
generalize hybrid automata to hybrid games — say, controller vs. plant. If 
we specify the continuous dynamics by constant lower and upper bounds, 
we obtain rectangular games. We show that for rectangular games with 
objectives expressed in Ltl (linear temporal logic), the winning states 
for each player can be computed, and winning strategies can be syn- 
thesized. Our result is sharp, as already reachability is undecidable for 
generalizations of rectangular systems, and optimal — singly exponen- 
tial in the size of the game structure and doubly exponential in the size 
of the Ltl objective. Our proof systematically generalizes the theory of 
hybrid systems from automata (single-player structures) | to games 
(multi-player structures): we show that the successively more general 
infinite-state classes of timed, 2d rectangular, and rectangular games in- 
duce successively weaker, but still finite, quotient structures called game 
bisimilarity, game similarity, and game trace equivalence. These quotients 
can be used, in particular, to solve the Ltl control problem. 



1 Introduction 

A hybrid automaton ^ is a mathematical model for a system with both dis- 
cretely and continuously evolving variables, such as a digital computer that 
interacts with an analog environment. An important special case of a hybrid 
automaton is the rectangular automaton where the enabling condition for 
each discrete state change is a rectangular region of continuous states, and the 
first derivative of each continuous variable x is bounded by constants from below 
and above; that is, x C [a,b\. Rectangular automata are important for several 
reasons. First, they generalize timed automata Q (for which a = b — 1) and nat- 
urally model real-time systems whose clocks have bounded drift. Second, they 
can over-approximate with arbitrary precision the behavior of hybrid automata 
with general linear and nonlinear continuous dynamics, as long as all derivatives 
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MURI grant DAAH-04-96-1-0341. 



Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 320 
@ Springer-Verlag Berlin Heidelberg 1999 



1999. 



Rectangular Hybrid Games 321 



satisfy the Lipschitz condition Third, they form a most general class 

of hybrid automata for which the Ltl model- checking problem can be decided: 
given a rectangular automaton A and a formula ip of linear temporal logic over 
the discrete states of A, it can be decided in polynomial space if all possible 
behaviors of A satisfy ip 

Since hybrid automata are often used to model digital controllers for analog 
plants, an important problem for hybrid automata is the Ltl control problem: 
given a hybrid automaton A and an Ltl formula ip, can the behaviors of A 
be “controlled” so as to satisfy ipl However, the hybrid automaton per se is 
an inadequate model for studying this problem because it does not differentiate 
between the capabilities of its individual components — the controller and the 
plant, if you wish. Since the control problem is naturally formalized in terms 
of a two-player game, we define hybrid ^amesj Because our setup is intended 
to be as general as possible, following we do not distinguish between a 

“discrete player” (which directs discrete state changes) and a “continuous player” 
(which advances time); rather, in a hybrid game, each of the two players can 
itself act like a hybrid automaton. The game proceeds in an infinite sequence 
of rounds and produces an tu-sequence of states. In each round, both players 
independently choose enabled moves; the pair of chosen moves either results in a 
discrete state change, or in a passage of time during which the continuous state 
evolves. In the special case of a rectangular game, the enabling condition of each 
move is a rectangular region of continuous states, and when time advances, then 
the derivative of each continuous variable is governed by a constant differential 
inclusion. Now, the Ltl control problem for hybrid games asks: given a hybrid 
game B and an Ltl formula ip over the discrete states of B, is there a strategy 
for player- 1 so that all possible outcomes of the game satisfy ip? 

Our main result shows that the Ltl control problem can be decided for rect- 
angular games. Previously, beyond the finite-state case, control problems have 
been solved only for the special case of timed games (which corresponds to timed 
automata) and for rectangular games under the assumption that the 

controller can move only at integer points in time (sampling control) ^3. Semi- 
algorithms for control have also been proposed for more general linear and 
nonlinear hybrid games, but in these cases termination is not guaranteed. 

The algorithms for timed games and sampling control are based on the fact that 
the underlying state spaces can be partitioned into finitely many bisimilarity 
classes, and the controller does not need to distinguish between bisimilar states. 
Our argument is novel, because rectangular games in general do not have finite 
bisimilarity quotients. Our result is sharp, because the control problem for a class 
of hybrid games is at least as hard as the reachability problem for the correspond- 
ing class of hybrid automata, and reachability has been proved undecidable for 
several minor extensions of rectangular automata The complexity of our 
algorithm, which requires singly exponential time in the size of the game B and 
doubly exponential time in the size of the formula ip, is optimal, because control 

^ For the sake of simplicity, in this paper we restrict ourselves to the two-player case. 

All results generalize immediately to more than two players. 
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is harder than model checking: reachability control for timed games is Exptime 
hard Ltl control for finite-state games is 2exptime hard 

Let us now take a more detailed preview of our approach. For the solution 
of infinite-state model-checking problems, such as those of hybrid automata, it 
is helpful if there exists a finite quotient space that preserves the properties 
under consideration Q. Specifically, provided the duration of time steps is in- 
visible, every timed automaton is bisimilar to a finite-state automaton Q; every 
2d rectangular automaton (with two continuous variables) is similar (simulation 
equivalent) to a finite-state automaton and every rectangular automaton 
is trace equivalent to a finite-state automaton Since Ltl model checking 
can be reduced to model checking on the trace-equivalence quotient, the de- 
cidability of Ltl model checking for rectangular automata follows. The three 
characterizations are sharp; for example, the similarity quotient of 3d rectangu- 
lar automata can be infinite and therefore the quotient approach does not 
lead to branching-time model-checking algorithms for rectangular automata. 

By introducing an appropriate generalization of trace equivalence, which we 
call game trace equivalence, the argument for Ltl model checking of rectangular 
automata (single-player structures) can be systematically carried over to Ltl 
control of rectangular games (two-player structures). This is done in two steps. 
First, we show that given the game trace equivalence = on the (possibly infinite) 
state space of a two-player structure B, an appropriately defined quotient game 
B/= can be used to answer the Ltl control problem for B, and to synthesize 
the corresponding control strategies (Propositional. Second, following the argu- 
ments of ^3? show that if is a rectangular game, then = has only finitely 
many equivalence classes, and consequently Bj= is a finite-state game (Theo- 
rem J. Our main result follows (Corollary fl. Along the way, we also generalize 
bisimilarity and similarity to game bisimilarity and game similarity, which are 
finer than game trace equivalence, and we show that the special case of timed 
games has finite game bisimilarity relations (Theorem H, and the special case 
of 2d rectangular games has finite game similarity relations (Theorem J. This 
gives, on one hand, better bounds on the number of equivalence classes for the 
special cases, and on the other hand, cleanly generalizes the entire theory of 
rectangular automata to rectangular games. 

2 Using Games For Modeling Control 

In this section, we define a standard model of discrete-event control using games 
with simultaneous moves and Ltl objectives review some known re- 

sults ^3, and introduce several equivalences on the state space of such a game. 



2.1 Game Structures and the LTL Control Problem 
One Player. A transition structure (or single-player structure) 



J- = {Q, n, ((•)), Moves, Enabled, 6) 
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consists of a set Q of states, a set II of observations, an observation function 
((•)): Q — > 2^ which maps each state to a set of observations, a set Moves 
of moves, an enabling function Enabled: Moves 2^ which maps each move 
to the set of states in which it is enabled, and a partial transition function 5: 
Q X Moves 2^ which maps each move m and each state in Enabled{m) to 
a set of possible successor states. For each state q G Q, we write mov{q) = 
{m G Moves \ q G Enabled{m)} for the set of moves that are enabled in q. We 
require that mov{q) ^ 0 for all q & Q. A step o/ IF is a triple q — >q' such that 
m G mov{q) and q' G 5{q, m). A run of E is an infinite sequence r = soSiS 2 . . . 
of steps Sj = qj — such that qj+i = ql for all j > 0. The state qo is called 
the source of r. The run r induces a trace, denoted ((r)), which is the infinite 
sequence {{qo))'m-o{{qi))mi{{q 2 ))rn 2 ... of alternating observation sets and moves. 
For a state q G Q, the outcome R‘‘ from q is the set of all runs of T with source q. 
For a set R of runs, we write ((i?)) for the set {((r)) | r G i?} of corresponding 
traces. 

Two Players. A (two-player) game structure 

Q = {Q, n, {{■)), Movesi, Moves 2 , Enabledi, Enabled 2 ,S) 

consists of the same components as above, only that Moves i (Moves 2 ) is the set 
of moves of player-1 (player-2), Enabledi maps Movesi to 2^, Enabled 2 maps 
Moves 2 to 2*^, and the partial transition function 6: Q x Moves i x Moves 2 — > 
2Q 

maps each move mi of player-1, each move m 2 of player-2, and each state 
in Enabled i{mi) n Enabled 2 {m 2 ) to a set of possible successor states. For i = 
1,2, we define movi'. Q to yield for each state q the set moVi{q) = 

{m G MoveSi \ q G Enabled i{m)} of player-i moves that are enabled in q. We 
require that moVi{q) yf 0 for all g G Q and i = 1,2. At each step of the game, 
player-1 chooses a move mi G movi{q) that is enabled in the current state q, 
player-2 simultaneously and independently chooses a move m 2 G mov 2 {q) that 
is enabled in q, and the game proceeds nondeterministically to a new state in 
5{q, mi, m 2 ). Formally, a step of is a step of the underlying transition structure 

Eg = (Q, n, ((•)), Movesi x Moves 2 , Enabled, S'), 

where Enabled {mi, m 2 ) = Enabledi{mi) n Enabled 2 {m 2 ) and S' {q, {mi, m 2 )) = 
<5(g, mi, m 2 ). We refer to the runs and traces of Eg as runs and traces of the 
game structure Q. 

A strategy for play er-i is a function fp such that 0 ^ fi{w-q) C 

moVi{q) for every state sequence w G Q* and every state q G Q. The strategy fi 
is memory-free if fi{w ■ q) = fi{w' ■ q) for all w, w' G Q* and q G Q. Let fi (/ 2 ) 
be a strategy for player-1 (player-2). The outcome R'j^ from state q G Q for 
fi and f 2 is a subset of t|ie runs o^f Q with source q: a run S 0 S 1 S 2 . . . is in 
if for all j > 0, if Sj = qj q' , then mij G fi{qoqi ■ • ■ qj) for z = 1, 2, and 

90 = q. 

Linear Temporal Logic. The formulas of linear temporal logic (Ltl) are gen- 
erated inductively by the grammar 

ip ::= TT \^p \ pi\J P2 \ Of I Fi^F2, 
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where tt S 7T is an observation, Q is the next operator, and U is the until 
operator. From these operators, additional operators such as Oip= {trueU(p) 
and Oip = -iO-\ip can be defined as usual. The Ltl formulas are interpreted over 
traces in the standard way Q. For example, the formula Ott is satisfied by the 
trace {{qo))mo{{qi))mi{{q 2 ))m 2 ... if tt e {{qj)) for all j > 0. 

Player- 1 can control the state q of a game structure for the Ltl formula ip if 
there exists a strategy fi of player-1 such that for every strategy /2 of player-2 
and every run r € R'j^ the trace ((r)) satisfies <^|ln this case, we say that 
the strategy /i witnesses the player- 1 controllability of q for ip. The Ltl control 
problem asks, given a game structure Q and an Ltl formula ip, which states of Q 
can be controlled by player-1 for ip. The Ltl controller- synthesis problem asks, in 
addition, for the construction of witnessing strategies. If the game structure Q is 
finite, then the Ltl control problem is PTiMETcomplete in the size of Q ^3 and 
2EXPTiMB-complete in the size of ip Whereas for simple Ltl formulas such 
as safety (for example, Ott for an observation tt G II), controllability ensures the 
existence of memory-free witnessing strategies, this is not the case for arbitrary 
Ltl formulas ^9. 



2.2 State Equivalences and Quotients for Game Structures 

One Player. The following equivalences on the states of a transition structure 
will motivate our definitions for game structures. Consider a transition structure 
T = (Q, TT, ((•)), Moves, Enabled, 6). A binary relation C Q x Q is a (forward) 
simulation if p g implies the following three conditions: 



1 - Up)) = m 

2. mov{p) C mov{q); 

3. Vm G mov{p). Vp' G 5{p, m). 3q' G S{q, m). p' q' . 

We say that p is (forward) simulated by q, in symbols p q, if there is a 

simulation with p q. We write p q if both p q and q p. The 
relation is called similarity. A binary relation on Q is a bisimulation if 
is a symmetric simulation. Define p q if there is a bisimulation with 
p q. The relation is called bisimilarity. A binary relation on Q is a 
backward simulation if p' g' implies the following three conditions: 

1 - Up')) = m; 

2. mov{p') C mov(q'); 

3. Vp G Q. 3g G Q. Vm G mov{p). p' G 5{p, m) g' G 6{q, m) A p g. 

Then, p' is backward simulated by q' , in symbols p' g^ if there is a backward 
simulation with p' g'. A binary relation on Q is a trace containment 
if p g implies {{K^)) C ((T?^)). Define p g if there is a trace containment 



^ Our choice to control for Ltl formulas rather than, say, oi-automata ^9 is arbitrary. 
In the latter case, only the complexity results must be modified accordingly. 
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with p :<^ q. We write p q if both p q and q p. The relation is 
called trace equivalence. 

Two Players. The basic local requirement behind the preorders and on 
the states of a transition structure is that if p ^ q, then the move and the obser- 
vation set of each step from p can be matched by a step from q (the two preorders 
differ in how they globalize this local requirement). For the corresponding pre- 
orders :<g on the states of a game structure, we generalize this to requiring that if 
P 9j and player-1 can enforce a certain observation set by a certain move from 
q in one step, then player- 1 can enforce the same observation set by the same 
move also from p in one step. This gives rise to the following definitions. Con- 
sider a game structure Q = {Q,II,{{-'f),Movesi,Moves2,Enahledi,Enahled2,5). 
A binary relation C Q x Q is a (forward player-1) game simulation iip q 
implies the following three conditions^ 

1 - m = m 

2. movi{q) C movi{p) and mov 2 {p) C mov 2 {q)] 

3. Vtoi G movi{q),m 2 G mov 2 {p),p' G S{p, mi, m 2 ). G 5{q, mi, m 2 ), p' (?'. 

A binary relation on Q is a backward (player- 1 ) game simulation if p' q' 

implies the following three conditions: 

1 - m = m); 

2. movi{q') C movi{p') and mov 2 {p') C mov 2 {q')', 

3. Vp G Q. G Q. Vmi G movi{q). Vm 2 G mov 2 {p). 

p' G (5 (p, 7711,7712) ^ g' G (5(9, 7771,7772) A p g. 

A binary relation on Q is a (player-1) game trace containment ii p dig q 
implies that for all strategies fi of player- 1, there exists a strategy /( of player- 1 
such that for all strategies of player-2 there exists a strategy /2 of player-2 such 
that {{R'ji fi)) Q ((^/i /a))- From this, the maximal preorders dg, dg^, and dg, 
as well as the equivalence relations game similarity =g, game bisimilarity =®, 
and game trace equivalence =g are defined as in the single-player case^The fol- 
lowing proposition, which follows immediately from the definitions, characterizes 
the game equivalences in terms of the underlying transition structure. 

Proposition 1. Two states p and q of a game structure Q are game bisimilar 
(game similar, game trace equivalent) if p and q are bisimilar (similar, trace 
equivalent) in the underlying transition structure Tq. 

It follows that refines =f, that refines and that in general these 
refinements are proper^ It also follows that the standard partition-refinement 

® There is also a dual, player-2 game simulation, which we do not need in this paper. 
^ Note that, being symmetric, the game equivalences , =®, and are not indexed 
by a player (unlike the game preorders A®, and dif)- In particular, say, p q 

implies that movi(p) = movi(q) and mov^fp) = mov 2 {q). 

® We say that the equivalence relation =i (properly) refines the equivalence relation 
=2 if p =i q implies p =2 q (but not vice versa). 
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algorithms for computing bisimilarity and similarity can be applied also 
to compute the game bisimilarity and the game similarity relations. 

Game Trace-Equivalence Quotient. Consider two states p and g of a game 
structure Q . By definition, if p g, then for every Ltl formula p, if player-1 
can control p for p, then player-1 can control also q for tp. The relations with this 
property are called alternating trace containments Q and differ from the game 
trace containments defined here in that the names of the moves of both players 
are not observablej We keep all moves observable, and include the names of 
moves in the definition of traces, so that p q implies if the strategy /i 
witnesses the player- 1 controllability of p for tp, then the same strategy /i also 
witnesses the player- 1 controllability of q for p. Consequently, the game trace 
equivalence on the game structure Q suggests a quotient structure that can be 
used for controller synthesis. Let = be any equivalence relation on the states of 
Q which refines the game trace equivalence =g. The quotient structure Q/= is 
the game structure (Q/=, II, ((•))/=, Movesi, Moves2, Enabledi/=, Enabled2/=, S/=) 
with 

— Q/= = {[(?]= I g G <5} is the set of equivalence classes of =; 

“ (([ 9 ]=))/= = (( 9 )) (note that ((•))/= is well defined because = refines =g, and 
hence ((•)) is uniform within each equivalence class); 

“ [ 9 ]= G Enabled i/={m) if G [ 9 ]= . p G Enabledi{m) (note that this is equiv- 
alent to Vp G [ 9 ]= . p G Enabledi{m) because = refines —g), and analogously 
for Enabled 2/ 

- W]= G S{[q]-,mi,iTi2)/= if G [q% ■ 3p G [q]= ■ p' G S{p, 1711,1712). 

The following proposition reduces control for an Ltl formula p in the game 
structure Q to control for p in the quotient structure Q/=. 

Proposition 2 . Let Q be a game structure, let q be a state of Q, and let = be an 
equivalence relation on the states of Q which refines the game trace equivalence 
for Q . Player - 1 can control q for p in Q if and only if player - 1 can control 
forp in G/=. Moreover, if the strategy fi witnesses the player -1 controllability of 
[ 9 ]= for p in Q/=, then the strategy f[ defined by f{{po . . .pj)=fi{[po]= . . . [pj]^) 
witnesses the player - 1 controllability of q for p in Q. 



3 Control of Rectangular Games 

In this section, we apply the framework developed in the previous section to a 
particular class of infinite-state game structures: rectangular hybrid games. We 
show that for every rectangular game, the game trace-equivalence quotient is 
finite. It follows from Propositionjthat the Ltl control and controller-synthesis 
problems are decidable for rectangular games. 

® Similarly, our game (bi)similarity relations, which consider all moves to be ob- 
servable, refine the alternating (bi) similarity relations of Q, where moves are not 
observable. 
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3.1 Rectangular Games 

We generalize the rectangular automata of ^3, which are single-player struc- 
tures, to two-player structures called rectangular games. A rectangle r of dimen- 
sion n is a subset of M" such that r is the cartesian product of n closed intervals 
— bounded or unbounded — all of whose finite end-points are integersjLet 5R" 
be the set of all rectangles of dimension n. Denote by tk the projection of r on 
its fcth coordinate, so that r = rifc=i ^ rectangular game 

TZ = (L, X, Ml, M 2 , enabledi, enabled 2 , flow, E,jump, post) 
consists of the following components: 

— A finite set L of locations which determine the discrete state of the game. 

— A set X = {x \, . . . , Xn} of real- valued variables which determine the contin- 
uous state of the game. The number n is called the dimension of TZ. 

— For i = 1, 2, a finite set Mi of moves of player-h Let M/*™® = Mi l±) {time}, 
where time is a special symbol not in Mi or M 2 which denotes a move that 
permits the passage of time. 

— For z = 1,2, a function enabledi'. M/*™® x L — > 3?" which specifies for each 
move rui of player-z and each location t, the rectangle in which is enabled 
when the discrete state of the game is t. Given a location £ G L, the rectangle 
enabled I (time, £) ft enabled 2 (time, £) is said to be the invariant region of £, 
and is denoted inv(£). 

— A function flow: L 3?" which maps each location £ to a bounded rectangle 
that constrains the evolution of the continuous state of the game when the 
discrete state is £. 

— A set A C (L X Ml X x L) U (L x Mf™*= x M 2 x L) of edges which 

specifies how the discrete state may pass from one location to another. 

— A function jump: E which maps each edge to the indices of those 

variables whose values may change when the discrete state proceeds along 
that edge. 

— A function post: E 3?" which maps each edge to a bounded rectangle that 
constrains the new continuous state when the discrete state proceeds along 
that edge. 

We require that for every edge e = (£,■,■,£') and every coordinate k = 1, . . . ,n, 
\i flow(£)k ^ flow(£')k, then k G jump(e). In the corresponding requirement 
on rectangular automata is called initialization and is shown to be necessary for 
simple reachability questions to be decidable. 

A state of the game TZ consists of a discrete part £ G L and a continuous part 
X G M" such that x lies in the invariant region of £; that is, the state space of TZ is 
the infinite set Qn, = {(£, x) G L x R” | x G inv(£)}. Informally, when the game 
is in state {£, x), time can progress as long as both players choose the move time 

^ It is straightforward to permit intervals with rational end-points. A generalization 
of onr results to open and half-open intervals is technically involved, but possible 
along the lines of 
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and the state, whose continuous part evolves over time obeying the differential 
inclusion /?ow(^), remains in the invariant region inv{i). The differential inclusion 
is obeyed by all differentiable trajectories whose first time derivative stays inside 
the rectangle flow{£). Alternatively, a player may choose a move different from 
time which is enabled in the current state. In this case, the discrete part of the 
state changes along an edge e G E, and the continuous part of the state changes 
as follows. For each k G jump{e), the value of Xk is nondeterministically assigned 
a new value in the interval post(e)k- For each k ^ jump(e), the value of Xk does 
not change. This semantics is captured formally by the following definition. With 
the game TZ we associate the game structure 

Qn = {Qn, L, ((•)), M 2 **™", Enabledi, Enabled 2 ,S), 

where {{{£,x))) = {£}, Enabledi{m) = {(£,x) G Q-ji \ x G enabledi{m,t)}, and 
{£' , x') G S{{£, x), mi, m 2 ) if either of the following two conditions is met: 

Time step of duration t and slope s. We have mi = m 2 = time and £! = £, 
and x' = X + t ■ s for some real vector s G flow{£) and some real t > 0 such 
that {x + t' ■ s) G inv(£) for all 0 <t' <t. 

Discrete step along edge e. There exists an edge e = {£, mi, m 2 , f') G E such 
that {£, x) G Enabled{mi) for i = 1,2, and xj. G post{e)k for all k G jump{e), 
and x'f. = Xk for all k ^ jump{e). 

Runs and traces, as well as preorders and equivalences on the states of a rectan- 
gular game TZ are all inherited from the underlying game structure t/ 7 ?,|ln what 
follows, we shall relate also states of two different rectangular games TZi and TZ 2 , 
as long as they agree on the observation (location) and move sets, with the un- 
derstanding that this refers to the disjoint union of the structures and Qti 2 - 
The Ltl control problem for rectangular games asks, given a rectangular game 
TZ and an Ltl formula (p, which states of the underlying game structure Qn can 
be controlled by player-1 for p. As before, the controller-synthesis problem asks, 
in addition, for a witnessing strategy. 

Example. Consider an assembly line scheduler that must assign each element 
from an incoming stream of parts to one of two assembly lines. The lines process 
jobs at different speeds: on the first line, each job travels between one and two 
meters per minute; on the second line, each job travels between two and three 
meters per minute. The first line is three meters long and the second is six meters 
long. Once an assembly line finishes a job, before the line can accept a new job 
there is a clean-up phase, which introduces a delay of two minutes for the first 
line and three minutes for the second. At least four minutes pass between the 

® Along some runs of a rectangular game, the sum of durations of all time steps 
converges. We do not rule out such degenerate runs, because appropriate conditions 
on the divergence of time can be expressed in Ltl once slight modihcations are made 
to the given game. A typical condition may assert that player-1 achieves the control 
objective unless player-2 refuses to let time diverge by infinitely often resetting a 
clock from 1 to 0 Q. 
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Fig. 1. Two assembly lines modeled as a rectangular game 



arrival of two successive jobs. The system is able to accept a new job if neither 
line is processing a job and at most one line is cleaning up. If a job arrives when 
the system is unable to process it, the system shuts down. 

We model the system as a rectangular game, pictured in Fig.^ The discrete 
locations are idle, in which no job is being processed; linei (line 2 ), in which line 1 
(line 2) is processing a job; and shutdown. The continuous variable r measures 
the time since the last job arrived. The variable ci ( 02 ) tracks the amount of 
time line 1 (line 2) has spent cleaning up its previous job. The variable x\ {X 2 ) 
measures the distance a job has traveled along line 1 (line 2). Player-2 has a single 
move, request, which alerts player-1 to the arrival of a new job. The moves of 
player-1 are assigui {assign 2 ), which assigns a job to line 1 (line 2); and done, 
which signals the completion of a job. It can be seen that a strategy which assigns 
jobs first to one assembly line, then to the other, and so on, ensures that the 
system never shuts down if started from location idle, with r > 4, ci > 2, and 
C 2 > 2. However, a strategy that always chooses the same line does not ensure 
that the system never shuts down. 

Special Cases of Rectangular Games. Consider a variable Xk of a rectan- 
gular game. The variable Xk is a finite-slope variable if for each location i of the 
game, the interval flow{£)k is a singleton. If flow{t)k = [1,1] for all locations i, 
then Xk is called a clock. A rectangular game has deterministic jumps if for each 
edge e of the game, and each coordinate k G jump{e), the interval post{e)k is a 
singleton. A singular game is a rectangular game with deterministic jumps all 
of whose variables are finite-slope variables. Even more specific is the case of a 
timed game, which is a rectangular game with deterministic jumps all of whose 
variables are clocks. An essentially identical class of timed games has been de- 
fined and solved in and closely related notions of timed games are studied in 
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3.2 Game Bisimilarity for Singular Games 

Given an n-dimensional singular game S, we define the region equivalence on 
the states of S following PQ. For a real number u, let frac{u) denote the frac- 
tional part of u. For a vector u G M", let frac{u) denote the vector whose fcth 
coordinate is the fractional part of Uk, for k = 1, . . .,n. For an n-tuple a of 
integers, define the equivalence relation =„ on R” such that x =„ y iff for 
k,m= (1) [flfcXfcJ = [akVk\, (2) frac(akXk) = 0 iS frac{akyk) = 0, 

and (3) frac(akXk) < frac{amXm) iff frac(akyk) < frac{amym)- Let c be the 
maximum, over all constants c' that appear in the definition of S, of \c'\. For 
each location f of S, if flow{£) — rifc=i[^fc) ^fc]> = (af, . . . , a^) such that 

“i = if “i = f if particular, if 5 is a timed game, then 

= (1,1,..., 1) for all locations i G L. Two states {£, x) and {£' , y) of S are 
region equivalent written {i,x) (£',y), if (1) £ = £' , (2) frac{x) =^i frae{y), 

and (3) for fc = 1, . . . , n, either \xk\ = \_yk\ or both \xk\ > c and \yk\ > c. 
The arguments of show that the region equivalence is a bisimulation 
on the single-player structure associated with Qs- Using Proposition J we 
conclude that is a game bisimulation for S. 

Theorem 3. For every singular game, the region equivalence refines the 
game bisimilarity . 

It follows that every singular game has a finite quotient structure with respect 
to game bisimilarity. Since game bisimilarity refines game trace equivalence, 
by Proposition the finite quotient structure can be used for Ltl controller 
synthesis. The game bisimilarity quotient of a singular game may have at most 
| 2 ^| . 20 {n\ognbc) equivalence classes ( “regions”), where b is the absolute value of 
the least common multiple of all nonzero, finite endpoints of flow intervals. We 
note that the singular games are a maximal class of hybrid games for which finite 
game bisimilarity quotients exist. In particular, there exists a 2d rectangular 
game TZ such that the equality relation on states is the only game bisimulation 
for TZ |. 

3.3 Game Similarity for 2D Rectangular Games 

Given a 2d rectangular game T, we define, following Q, the double-region 
equivalence on the states of T as the intersection of two region equivalences. 
For 2-tuples a and h of integers, define the equivalence relation =a,b on 
as the intersection of =„ and = 5 . Let c be defined for T as it was for S. For 
each location £ of T, if flow{£) = [g[, /ij] x [g^, h^, let = {g^, h\) and = 
(^ 2 j 5 i)- Two states {£,x) and (£',y) of T are double-region equivalent, written 
{£,x) (£',y), if (1) £ = £', (2) frac{x) =aGb‘ frac{y), and (3) for fc = 1,2, 

either = [yk\ or both Xk> c and yk > c. The arguments of show that 
the double-region equivalence is a simulation on the single-player structure 
Tg^ associated with Qr- Using Proposition^ we conclude that is a game 
simulation for T. 
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Theorem 4. For every 2d rectangular game, the double-region equivalence 
refines the game similarity . 

This implies that every 2d rectangular game has a finite quotient structure with 
respect to game similarity. Since game similarity refines game trace equivalence, 
by Proposition H the finite quotient structure can be used for Ltl controller 
synthesis. The game similarity quotient of a 2d rectangular game may have at 
most 0{\L\ -c^) equivalence classes. We note that the 2d rectangular games are a 
maximal class of hybrid games for which finite game similarity quotients exist. In 
particular, there exists a 3d rectangular game TZ such that the equality relation 
on states is the only game simulation for TZ 

3.4 Game Trace Equivalence for Rectangular Games 

Given an n-dimensional rectangular game TZ, we define, following a 2n- 
dimensional singular game S-jz and a map rect between the states of Sn and the 
states of TZ so that states that are related by rect are game trace equivalent. Since 
the singular game Sn has a finite game trace-equivalence quotient (Theorem^, 
it follows that the rectangular game TZ also has a finite game trace-equivalence 
quotient. The game Sn has the same location and move sets as TZ. We replace 
each variable Xk of TZ by two finite-slope variables yi(k) and yu(k) such that when 
flowTz{(){xk) = [ak,bk], then flows.,^{fi){yi(k)) = [afc,Ofc] and flows.^{fi){yu(k)) = 
[bk,bk\. Intuitively, the variable yi(k) tracks the least possible value of Xk, and 
the variable yu(k) tracks the greatest possible value of Xk- With each edge step 
of Sn, the values of the variables are appropriately updated so that the interval 
\vi{k): yu{k)] maintains the possible values of Xk', the details can be found in ^3. 
Call a state {i, y) of Sn an upper-half state if ypk) < 2/n(fc) for all fc = 1, . . . , n. 
The function rect: Qs-n 2*^'^, which maps each state of Sn to a set of states 
of TZ, is defined by rect{(., y) = {£} x HLi [?/;(?=): 2/n(fc)] if (^, v) is an upper-half 
state, and rect{i, y) = ^ otherwise. In it is shown that a state q of the single- 
player structure forward simulates every state in rect{q) of the single-player 

structure and that every state p G rect{q) backward simulates q. In analogy 
to Proposition Q these arguments carry over to the two-player structures Qs-r. 
and Qn- 

Lemma 5. LetTZ be a rectangular game, letq be a state of the singular game Sn, 
and let p G rect{q) be a state ofTZ. Then p is forward game simulated by q, and 
q is backward game simulated by p. 

LemmaHholds even if the durations of time steps are observable. It ensures the 
game trace equivalence of p and q for finite traces. Since the rectangles used 
in the definition of rectangular games are closed, it follows, as in that the 
trace set of TZ is limit-closed| Hence, Lemma ^is sufficient to show the game 
trace equivalence of p and q also for infinite traces. 

A set L of infinite sequences is limit-closed if for every infinite sequence w, when 
every finite prefix of w is a prefix of some sequence in L, then w itself is in L. 
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Theorem 6. For every rectangular game TZ, every state q of the singular game 
Sti, and every state p G rect{q) of TZ, the states p and q are game trace equivalent. 

It follows that the game trace-equivalence quotient of every rectangular game TZ 
is finite, which can be used for Ltl controller synthesis (Proposition It may 
have at most 2‘^d°g|i'l+"iognc) equivalence classes (corresponding to the regions 
of Sn), where b and c are defined as for singular games. (The constant factors 
hidden by the big-O notation may make the number of game trace-equivalence 
classes much larger than for a singular game with the same number of locations 
and continuous variables. Therefore, for the special cases that TZ is singular or 2- 
dimensional, the constructions of Sections ^Hand ^3 are superior in that they 
provide better bounds.) The ExPTiME>hardness part of the ensuing corollary 
follows from the fact that the structure complexity of Ltl control is Exptime- 
hard already in the special case of timed games 

Corollary 7. The control problem for a rectangular game TZ and an Ltl for- 
mula ip is Exptime- complete in the size of TZ and 2exptime- complete in the 
size of if. 

We note that the rectangular games are a maximal class of hybrid games for 
which finite game trace-equivalence quotients are known to exist. A triangle of 
dimension n is a subset of K" that can be defined by a conjunction of inequalities 
of the form Xk ~ Xm + c and Xk ~ c, where c is an integer constant and ~ € {< 

, >}. Let T" be the set of all triangles of dimension n. All results about timed 
automata and timed games still apply if triangular enabling conditions (that 
is, enabled i'. M/*™® x L T”) are permitted, because for a timed game T, 
every triangle is a union of equivalence classes of the region equivalence 
of T 3. This, however, in general is not the case for singular games. Indeed, the 
reachability problem for singular automata with triangular enabling conditions 
is undecidable Q, and therefore, so is the Ltl control problem for singular games 
with triangular enabling conditions. 

We also note that unlike for timed games with triangular enabling conditions, 
a witnessing strategy for the Ltl control of a rectangular game may not be 
implementable as a rectangular controller automaton. This is because already 
for timed games without triangular enabling conditions, a winning strategy may 
have to be triangular, in the following sense. A memory-free strategy / for an 
n-dimensional rectangular game is rectangular (triangular) if there exists a finite 
set r of rectangles (triangles) such that (1) U (2) for every location 

£ of the game, and all x,y G M”, if x and y belong to exactly the same sets 
in r, then / agrees on both {i,x) and {£,y). The following example illustrates 
a simple timed game for which no rectangular winning strategy exists. Consider 
Fig. Hand the Ltl objective 0^3. In the timed game T on the left, at the states 
whose discrete part is £q, the only moves enabled for player- 1 are mi and m2; 
in particular, time is not enabled there for player-1. Let ti={a; G | 0 < a;2 < 
Xi < 1}, and i2={x G | 0 < Si < a;2 < 1}. The right-hand side illustrates a 
portion of the finite quotient game structure f/r/ssK. At the states in {^0} x ti? if 
player- 1 chooses the move m2, then from location £2 player- 1 will be unable to 
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Fig. 2. A triangular strategy is necessary for winning 0^3 



force a transition to location £3. On the other hand, if at the states in {^0} x ti 
player- 1 chooses the move mi, then player- 1 will be able to force a transition 
to £3 (by first letting time progress until X2 = 1, and then playing again the 
move mi). Similarly, at the states in {£0} x £2, player-1 must choose the move 
m2 in order to eventually force entry into location £3. 

Safety Control. We conclude with an observation that is important for making 
the control of rectangular games practical. The most important special case of 
Ltl control is safety control. The safety control problem asks, given a game 
structure G = {Q, U, {{■)), Movesi, Moves2, Enabledi, Enabled2, 6) and a subset 
<E C n of the observations, which states of G can be controlled by player- 1 for 
the Ltl formula □ Define = {q G Q \ E D {{q)) yf 0}. For every set 
R C Q of states, define the uncontrollable (player- 1 ) predecessors of R to be the 
set 

upre{R) = {p G Q \ Vmi G movi{p). dm2 G mov2{p)- d{p, mi, m2) n i? yf 0}. 

Then the set of states that can be controlled by player- 1 for the Ltl formula 
□ V may be computed by iterating the upre operator: the answer to the safety 
control problem is Q\[J(^q upre'' (Q\R^) . This method is called the fixpoint it- 
eration for safety control. 

For every rectangular game TZ, the upre operator can be computed effec- 
tively ^3. We say that a region R of TZ corresponds to the region S of the 
singular game S-ji if R = UqeS ^sct{q). Notice that for every set E of observa- 
tions, the region R^ of TZ corresponds to a union of game bisimilarity classes, 
and by Lemma^ if R corresponds to such a union, then so does upre{R). Since 
the number of game bisimilarity classes of Sn is finite ( Theorem H, the fixpoint 
iteration for safety control terminates. 

Corollary 8. The safety control problem for rectangular games can be decided 
by fixpoint iteration. 
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4 Conclusion 

Our results for two-player hybrid games, which extend also to multiple players, 
are summarized in the right column of the table below. They can be seen to 
generalize systematically the known results for hybrid automata (i.e., single- 
player hybrid games), which are summarized in the center column. The number 
of equivalence classes for all finite equivalences in the table is exponential in the 
size of the given automaton or game. The infinitary results in the right column 
follow immediately from the corresponding results in the center column. 



Table 1. Summary of results 



Timed, singular 
2d rectangular 

Rectangular 

Triangular 



Hybrid automata (single-player) Hybrid games (multi-player) 



finite bisimilarity 
infinite bisimilarity 
finite similarity 
infinite similarity 
finite trace equivalence 
infinite trace equivalence 



m 

ty H’ 

ty^3, 






finite game bisimilarity 
infinite game bisimilarity, 
finite game similarity 
infinite game similarity, 
finite game trace equivalence 
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Abstract. We propose a localizability criterion that allows local com- 
putations to be composed into a valid global one. We show that, in the 
presence of equivalence-robustness, most fairness notions proposed in the 
literature satisfy the localizability criterion. Moreover, we also present 
a general and efficient distributed algorithm to implement equivalence- 
robust fairness notions satisfying the localizability criterion. Our results 
therefore offer an appealing solution to the implementation problem for 
existing fairness notions for distributed programming languages and al- 
gebraic models of concurrency. 



1 Introduction 

The concept of interactions has been widely used in distributed programming 
languages (e.g., CSP ^3, Ada, Script Action Systems Q, IP and DisCo 
and algebraic models of concurrency (e.g., CCS ^9, SCCS LO- 
TOS TT-calculus ^3) to model synchronization and nondeterminism among 
processes. An interaction is a set of actions (usually communications) to be 
executed jointly b;^i set of processes, which must synchronize in order to com- 
mence the actions^ Synchronization prevents a process from committing to a 
joint action too early before other participants are ready. Nondeterminism al- 
lows a process to choose one ready interaction to execute, from a set of potential 
interactions it has specified. 

For example, the producers and consumers problem can be easily expressed 
in CSP as follows: 
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Producer i, z = 1, 2 :: 
integer data; 
generate {data)] 

* [ Consumer i\ data — > generate(data)] 

□ Consumer 2 l data — > generate{data)] ] 

Consumer i, i = 1,2 :: 

integer x] 

* [ Producer C x — > process{x); 

□ Producer 2 '! x — > process{x)] ] 

The program describes that when a producer has prepared its data, it is willing 
to establish an interaction with either consumer to process the data. Similarly, 
when a consumer is ready, it is willing to accept new data from any producer. 

Note that conflicting interactions involving a common process cannot be ex- 
ecuted simultaneously. So if they are enabled at the same time, then only one of 
them can be chosen for execution. (An interaction is enabled if and only if all of 
its participants are ready for the interaction.) However, since nondeterminism 
allows an arbitrary enabled interaction to be chosen, the resulting computation 
may be improper to the system if the underlying scheduling scheme in the imple- 
mentation is prejudicial to some process or interaction. For example, the above 
CSP program may have a computation in which the two consumers alternately 
interact with one producer over and over again while blocking the other producer 
from sending out its data indefinitely. 

Therefore, some semantic constraint (often called a fairness notion) is typ- 
ically imposed on a program to exclude undesirable computations that would 
otherwise be valid. For example, the notion of strong process fairness (SPF), 
which requires that a process infinitely often ready to participate in an enabled 
interaction be able to execute some interaction infinitely often, can be used in 
the above program to prevent a process from being forever locked out from in- 
teraction. An implementation of the interaction scheduling (usually offered by 
the language compiler) then satisfies a given semantic constraint if it guarantees 
that all possible computations are valid, i.e., satisfying the constraint. 

We remark here that the use of semantic constraints in programming lan- 
guage allows a program to take advantage of nondeterminism so that the program 
can be naturally specified and easily proved, while hiding detailed run-time de- 
pendent scheduling activities into the implementation level. The problem could 
also be solved in the programming level by completely re-designing the program 
so that all computations meet the constraint. But such approaches usually re- 
quire more sophisticated programming techniques, and often make a program 
hard to understand. 

A number of semantic constraints have been proposed in the literature (see 
• I I ), but only few of them have been successfully implemented. In |Jwe pro- 
pose an implementability criterion to determine whether or not a given semantic 
constraint is implementable. In particular, we show that a semantic constraint 
satisfies the criterion if it is strongly feasible and equivalence-robust. Intuitively, 
strong feasibility means that when some interaction is enabled, there should be 
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a continuation allowing some interaction to be executed regardless of whether 
non-ready processes will become ready or not. Clearly, given that each process 
decides on its own when it will be ready for interaction, no implementation can 
rely on non-ready processes to become ready whenever some interaction can be 
scheduled for execution; otherwise deadlock would occur. So strong feasibility is 
necessary for a semantic constraint to be implementable. 

Equivalence-robustness requires that equivalent computations be either all 
valid or all invalid Computations are equivalent if they differ only in the inter- 
leavings of independent actions. Here we assume that the underlying semantics 
induces a dependency relation on actions of the system, which is usually a partial 
order reflecting Lamport’s causality relation Q. Equivalence-robustness ensures 
that different observations of the same computation obtain the same property 
of the system It thus serves as a natural bridge over the gap between 

interleaving semantics and partial order semantics, which is highly desirable in 
distributed languages. 

Although several important semantic constraints turn out to be non-equiva- 
lence-robust, Francez et al. Q have proposed a notion of completion to convert 
them into equivalence-robust ones. The idea of completion is to treat the compu- 
tations in a mixed equivalence class as all valid or all invalid. An equivalence class 
(as induced by the equivalence relation considered above) is mixed if it contains 
both valid and invalid computations. As such, a hierarchy of completions can be 
obtained, with the minimum (i.e., the strongest) being that all computations in 
a mixed class are treated as invalid, and the maximum (i.e., the weakest) being 
that all computations in a mixed class are treated as valid. More importantly, 
completions also shed some light on many existing unimplement able semantic 
constraints: so long as strong feasibility can be preserved, a completion suffices 
to warrant an implementation Q. 

In we propose a general algorithm to implement strongly feasible and 
equivalence-robust semantic constraints. The algorithm, however, is centralized 
because it employs a central coordinator in charge of the interaction scheduling. 
Our ultimate goal, of course, is to provide a distributed implementation. Note 
that the term “distributedness” is somewhat vague and sometimes subjective. 
Our interpretation here is that a distributed implementation should allow non- 
conflicting interactions to be established concurrently and independently. Under 
this interpretation, using a central coordinator in charge of the scheduling obvi- 
ously cannot qualify for a distributed implementation because interactions are 
always established sequentially. Independency means that the decision for a pro- 
cess to choose either x or y to participate should not depend on another process’s 
state if that process is not involved in x and y. Thus an implementation that 
replicates several copies of the above centralized coordinator for scheduling can- 
not be said distributed, even if nonconflicting interactions may be established 
concurrently. 

From the semantic level, however, some semantic constraint may inherently 
preclude a distributed implementation. For example, let xi2 and 0:34 be two in- 
teractions, where X12 involves pi and p2, and 0:34 involves ps and p4. The two 
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interactions do not conflict as they involve mutually disjoint sets of processes. 
However, when all four processes are ready for interaction, if the semantic con- 
straint requires X12 be established before 0:34, then no distributed implementation 
(in the sense deflned above) is possible. 

One might then presume that, in the light of strong feasibility (which is nec- 
essary for every implementable semantic constraint), equivalence-robustness is 
sufficient to guarantee a distributed implementation. Unfortunaltely, this is not 
true as can be illustrated by the following example. Let IS be a system consisting 
of four interactions xi,X2,yi, and j/2, where xi and X2 involve only process p, 
while ui and j/2 involve only q. Suppose that each process behaves as follows: It 
is initially idle. From time to time it becomes ready for interaction, where p is 
always ready for only one interaction, xi or X2 nondeterministically, while q is 
always ready for both yi and j/2 (but of course it can choose only one of them 
to execute). After interaction a process returns to an idle state. Consider the 
following semantic constraint C: 

If p does not execute X2 then q must execute yi and j/2 alternately; oth- 
erwise, q eventually executes only yi. 

It can be seen that the semantic constraint is strongly feasible and equivalence- 
robust. However, the semantic constraint implies that when q is ready, the choice 
of yi or j/2 cannot be locally made by q without consulting p’s state. This is be- 
cause otherwise q would either execute yi and j/2 alternately, or always execute 
yi regardless of whether X2 has been executed or not, and so the overall compu- 
tation would not be valid. 

Although semantic constraints like above are bizarre and rare, they do pre- 
clude us from obtaining a general distributed implementation for all possible 
strongly feasible and equivalence-robust semantic constraints. In this paper we 
propose a localizability criterion that requires a semantic constraint not only be 
strongly feasible, but also permit the decision to establish an interaction to be 
made locally by its participants, subject to the condition that local decisions do 
not infinitely often block other processes that have been continuously waiting 
for an interaction from establishing the interaction. Based on this criterion, we 
then present a general distributed algorithm to implement equivalence-robust 
semantic constraints. 

Note that localizability only provides a sufficient condition for distributed im- 
plementation. We do not intend to provide a criterion that is both sufficient and 
necessary for distributed implementation, as doing so would require a formal 
distributed implementation model that can well justify the meaning of “dis- 
tributedness.” Instead, we appraise our localizability criterion by showing that, 
in the presence of equivalence-robustness, the notion of strong interaction fair- 
ness ( SIF ), which requires that an interaction that is infinitely often enabled be 
executed infinitely often, is localizable. Since SIF is considerably stronger than 
most semantic constraints proposed in the literature, our results imply that 
most equivalence-robust semantic constraints can be distributedly implemented 
as well. 
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The rest of the paper is organized as follows: Section J presents an abstract 
model for process interactions. Section J presents our localizability criterion. 
SectionHsets up some useful lemmas to highlight the possibility of a distributed 
implementation for localizable and equivalence-robust semantic constraints. Sec- 
tion^then presents a real implementation. Sectionjconcludes. 

2 Preliminaries 

An interaction system is a triple IS = (P, I, M), where P is a finite set of pro- 
cesses, I is a finite set of interactions, and M : P x I* — > 2' is a function called 
the program of the system. Each interaction x involves a fixed set iA C P of 
participant processes, and can be executed by the participants (and only the 
participants) only if they are all ready for the interaction. A process is either in 
an idle state or in a ready state. Initially, every process is idle. An idle process p 
may autonomously become ready, where it is ready for a set p.aim of potential 
interactions of which it is a member. After executing one interaction in p.aim, 
p returns to an idle state. The set p.aim is determined by M(p,I), where I is 
the sequence of interactions p has executed. As only the participants of an in- 
teraction can execute the interaction, we shall assume that M(p,X) = x only if 
P e Px- 

A state s of IS is a tuple consisting of the history of interactions executed so 
far, and for each p G P, the state (i.e., idle or ready) of p and the set of potential 
interactions p is ready to execute. We use [s]?iist to denote the history, [s]p the 
state of p in s, and [s]p,aim the set of potential interactions p is ready to execute. 
Moreover, [s]hist,p denotes the sequence of interactions in [s]hist that involve p, 
i.e., the history of interactions executed by p. An interaction x is enabled in s 
iff (if and only if) every process p G Px is ready for x, i.e., [s]p = ready and 
X G [s]p,aim- Let S be the set of all possible states of IS. State transitions of the 
system are written as s s' , where s, s' G S, and a is the action whose execution 
results in the transition. State transitions are of the following two forms: 

ready: s — ^ s' iff [s]p = idle, [s']p = ready, M{p, [s]hist,p) = 

]p.aim — I ■) and \/q G P - {p} : [s], = [s']q A [s] q.aim — [-5 jg.azm- 
That is, the action p.I transits process p from idle to a state ready for the 
set / of interactions. 

interaction: s — > s' iff = [s]hist ■ x, \/p G Px ■ [s]p = ready A x G 

A [5 ]p = idle A [s ]p.aim, — and Vq" € P Px : [s]g = [s ]g A 

jg.azm- 

That is, the execution of interaction x transits all participants of x from 
state ready to idle. 

A run 7T is a sequence of the form 

<2l <22 

So > Si > S2 . . . 

where sq is the initial state (that is, [so]?iist = e and \/p G P : [so]p = idle A 
[solp.aim = 0), and each Si s^+i is a state transition of the system. In 
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particular, tt is complete if it is infinite or it ends up in a state in which all 
processes are ready but no interaction is enabled; otherwise, tt is partial. We use 
run* (IS) to denote the set of all finite runs of IS, and run(IS) denotes the set of 
complete runs. Thus, run* (IS) n run(IS) is the set of finite complete runs. 

It should be noted that, like most systems, we have made a minimal progress 
assumption — if some action can be executed in IS, then some action will 

eventually be executed. So if no interaction is enabled and not all processes 
are ready for interaction, then some idle process will eventually become ready. 
However, the minimal progress assumption does not exclude the possibility that a 
process remains idle forever in an infinite run. Indeed, so long as some executable 
action will eventually be executed, we do not assume any bound on the time a 
process stays in a ready state. The reason for this is that making such a bounded 
transition assumption could result in an implementation where the scheduling 
of an interaction depends not only on the processes involved in the interaction, 
but also on other processes not involved in the interaction. For example, an 
implementation can simply wait until all processes are ready, and then chooses 
an interaction fulfilling the semantic constraint for execution. As pointed out by 
Buckley and Silberschatz Q, such implementation is impractical and inefficient. 
Besides, it could result in a deadlock for systems where local actions may not 
terminate. 

Since each run sq si S2 . . . is uniquely determined by the sequence of 
actions executed in the run, we often write the run as 0102 ... . Conversely, we 
call a sequence of actions ai02 . . . a run if there exist states sq, si, S2, . . . of IS, 
with So being the initial state, such that sq ^ si S2 . . . is a run of IS. 

Definition 1. A semantic constraint C is a function which, given an interaction 
system IS, returns a set of runs C|IS] C run(IS). We say that tt is <C-valid (or 
simply valid when the context is clear) if tt G C|IS]. 

We assume that actions involving a common process in a run are totally 
ordered by the order in which the process executes them. These total orderings 
then induce a typical partial order dependency relation on the actions of a run 
such that a ^ 5 iff some process executes a before b, or there exists c such that 
a ^ c and c ^ b Two runs tt and p are equivalent, denoted by tt = p, iff for 
every process p, the sequence of actions involving p in tt is the same as that in 
p. As can be seen, if tt = p, then one of them can be obtained from the other by 
transpositions of independent actions. 

For example, consider the following run of the system shown in Fig.^ where 

Pxi2 = {Pl,P2}, Px23 = {P2,P3}, and Pa;34 = {P3,Pa}- 

71 " = {PlP2Xl2P3,PiXsiY 

We use to denote a program that allows a process to be ready for all in- 
teractions of which it is a member every time when the process is ready. For 
notational simplicity we overload the notation pi to abbreviate the correspond- 
ing ready action pi.I where / = {a; G I |pi G Px\- This abbreviation will be 
adopted throughout the paper. Also, a'*’ denotes the infinite sequence aaaa .... 
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Fig. 1. A system IS = ({pi,P 2 ,P 3 ,P 4 }, {a;i 2 , 3^23, 3 ^ 34 }, M^). 



Observe that every instance of X 12 in tt is independent of the following action 
P 3 - So TT is equivalent to {piP2P3Xi2P4X34)‘^ ■ 

Definition 2. A semantic constraint C is equivalence-robust for IS iff 

Vtt, p e run(IS) : tt G CpS] A p = tt^ pG CpS] 

The notion of strong feasibility is realized by a two-player game between an 
explicit scheduler S which copes with interaction scheduling, and an adversary 
A which captures the processes’ autonomy in making their ready transitions. 

Definition 3. 

1. An adversary A for IS is a function which given a run tt G run* (IS) returns 
either an empty sequence e or a sequence of actions pi-h . . -Pk-Ik as the 
continuation of tt such that tt ■ pi.Ii . . .pk-Ik represents a run of IS. More- 
over, A(7t) = e only if tt is complete or some interaction is enabled in tt (i.e., 
enabled in the last state of tt). 

2. A nonblocking scheduler S for IS is a function which given a run tt G run* (IS) 
returns either e or an interaction x enabled in tt as the continuation of tt. 
Moreover, S'(7r) = e only if no interaction is enabled in 7 t| 

3. The result of the S versus A game up to round i is defined by r^{S, A), where 

( e : i=0 

rpS',^) = <^ r*-p5,A) • A(r*-pS',A)) : i = 2n-l,n&N 

[ r*-pS',A) • S'(r*-pS',A)) : i = 2n,nGN 

The run generated by S versus A, denoted by r{S,A), is the result of the 
game proceeding in the maximum number of rounds. 



Definition 4. A semantic constraint C is strongly feasible for IS iff there exists 
a nonblocking scheduler S for IS satisfying C; that is, for every adversary A, 
r{S,A) G CpSl. 

^ For simplicity, we allow S to schedule only one interaction at a time even if there is 
more than one nonconflicting interaction enabled. This does not lose any generality 
because the game allows the adversary in response to suspend idle processes from 
becoming ready until all enabled interactions have been disabled. 
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We say that a semantic constraint Ci is stronger than C2 (or C2 is weaker 
than Cl) if Ci|IS] C C2IIS]. It follows that if Ci is strongly feasible and C2 is 
weaker than Ci, then C2 is strongly feasible as well. Note that a nonblocking 
scheduler S satisfying C needs not be “faithful” Q to C in the sense that not 
every run in C|IS] needs be generated by S. 

Moreover, it is worth noting that a nonblocking scheduler S represents only 
an abstract scheduling policy for C. It does not directly correspond to an im- 
plementation. This is because in a real system any scheduling decision must be 
made by a process p, either an existing one in the system or an auxiliary coordi- 
nator that is added to assist the scheduling. For p to make a scheduling decision, 
it must obtain processes’ states, and only through communications. Since a com- 
munication takes time and since processes determine autonomously when they 
will become ready, it is not possible for p to obtain a global view of the system 
that is consistent with the view observed externally. For example, when p ob- 
serves that only x is enabled and decides to schedule x, it is possible that some 
other conflicting interaction y is also enabled and the semantics insists that y 
shall be established. In contrast, a nonblocking scheduler S implicitly assumes 
an external global view of the system. 

3 The Localizability Criterion 

In this section we present our localizability criterion, for which we need the 
following definitions. Let IS = (P, I, M) be an interaction system, Q C P be a 
set of processes, and p G run* (IS) U run(IS) be a run. The projection of Q in 
ip, denoted by [p\q, is the result by extracting from p every action a involving 
a process in Q and the actions b satisfying b < a] the relative order of the 
extracted actions in p is preserved in [p\q. Note that [p\q also represents a run. 
For notational simplicity, we often write [p\q as [p\q if Q is a, singleton consisting 
solely of q. For example, consider the interaction system shown in Fig. J Let 
7T = pa{piP2X\2P2P3X23Y b® ^ run of the system. Then, = [7r]p3 = 

{P1P2X12P2P3X23T , and [ttJp^ = p^. Moreover, = {piP2Xi2P2PsX2sY , 

and \'x\{p 2 ,pi} = ['^]{pi,P2,p4} “ 'X- 

Moreover, let S' be a nonblocking scheduler for IS. An interaction a; in tt is 
S-admissible if S([ 7 rh]p^) = x, where tt\x is the prefix of tt up to but not includ- 
ing X . A nonempty set of processes Q is S -neglected in tt if every process in Q 
remains ready forever from some point onward, but there exist two interactions 
y and z (where z could be an empty interaction e with no participant) and in- 
finitely many prefixes p of tt such that (a) Py — Pz = Q and (b) S([p]p„) = y 
but p is followed by z. 

The localizability criterion is defined operationally by a “localizable” sched- 
uler S as follows. 

Definition 5. A semantic constraint C is localizable for IS = (P, I, M) if there 
exists a nonblocking scheduler S such that: 



344 Yuh-Jzer Joung 



1 . For every adversary A of IS, r(S, A) G C|IS]. 

2 . For every tt in run(IS), if every a; in tt is S'-admissible and no nonempty 

subset of P is S'-neglected in tt, then tt G C|IS]. 

In this case, S is called a localizable scheduler for IS satisfying C. 

To help understand the definition, consider again the interaction system 
shown in Fig. J Assume that S is such that if no interaction is enabled in tt, then 
S{tt) returns e, otherwise it returns the enabled interaction that is executed the 
least often in tt; tie is broken arbitrarily. Let tt = pa{piP2Xi2P2P3X23)‘^ be a run 
of the system. Then every interaction a; in tt is S'-admissible because only x is en- 
abled in However, the set {^4} is S'-neglected because {^4} = Px34~Px23^ 

and there are infinitely many prefixes pi = P4{piP2Xi2P2P3X23YpiP2Xi2P2P3 of tt 
such that S([pi]p^^^) = a;34, but pi is followed by a;23. 

By definition, localizability implies strong feasibility. Intuitively, admissibility 
means that the participants of an enabled interaction x can decide on their own 
whether or not to establish x. Localizability of C therefore allows interactions 
to be established locally by their participants, so long as no nonempty set Q of 
processes is forever neglected in the sense that infinitely often, the processes in 
Q together with the processes in some other set R can establish an interaction y, 
but the processes in R neglect Q by always choosing another interaction z. The 
fact that R could be empty means that if the processes of Q alone can establish 
an interaction, then they should be able to do so regardless of other process’s 
progress. 

The following lemma shows that the maximum completion of SIF, denoted 
as SIF“*", is localizable. It can be proved by presenting a nonblocking scheduler 
that schedules interactions by giving the priority to the one that is executed the 
least often, and showing that the scheduler satisfies SIF and is localizable. 

Lemma 1 . SIF“'' is localizable for every IS = (P, I, M). 

The following lemma shows that localizability is respected by the weaker- 
than relation between semantic constraints. It follows from the definition of 
localizability. 

Lemma 2. // Ci is localizable and C2 is weaker than Ci, then C2 is also local- 
izable. 

Since SIF is considerably stronger than most semantic constraints proposed 
in the literature. Lemmas H that in the presence of equivalence- 

robustness most semantic constraints are localizable as well. (See • ' | for a 
survey of existing semantic constraints.) 

For a counterexample of localizability, consider the semantic constraint C 
discussed in Section^for the system IS = {{p,q},{xi,X2,yi,y2},M) where q 
must execute yi and j/2 alternately if p does not execute X2, or otherwise q must 
eventually execute only yi . To see that C is not localizable, suppose otherwise S is 
a localizable scheduler satisfying C. Then, since S is also a nonblocking scheduler 
S satisfying C, the following must hold: if q is ready for interaction in tt and 
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7 T does not contain any action involving p, then S{tt) must return yi if the last 
interaction executed by q (if any) is y2 , and returns j/2 if the last interaction is y\ . 
Since for any partial run p of IS, [p\q cannot contain any action involving p, every 
instance of y\ and ?/2 in P is 5 -admissible if q executes yi and 2/2 alternately in p. 
Moreover, since by the definition of M at most one interaction can be enabled in 
[p]p, every instance of X\ and X2 in p (if any) is S'-admissible. So, for any complete 
run 7 T, if q executes y\ and 2/2 alternately, then every interaction in tt must be 
S'-admissible regardless of whether p has executed X2 or not. As a result, if no 
process remains ready forever (e.g., tt = {px\px2 qyiqy2)‘^), then by the second 
condition of Definition^ must belong to C|IS]. However, ifp does execute X2 
in 7T, then by the definition of C tt should not be in C|IS]; contradiction. So C 
cannot be localizable because there is no localizable scheduler satisfying C. To 
summarize, a semantic constraint that is strongly feasible and equivalent-robust 
may not necessarily be localizable. 



4 An Abstract Distributed Scheduler 

Recall that the definition of localizability involves a nonblocking scheduler S. By 
Definition^ a nonblocking scheduler essentially assumes centralized scheduling 
because it takes as input the global state of the system and schedules all inter- 
actions among the processes. The centralized nature of the scheduler helps us 
determine whether or not a given semantic constraint is localizable (and strongly 
feasible), but it does not reveal too much about how the semantic constraint can 
be distributedly implemented. Therefore, the purpose of this section is to set up 
some lemmas to highlight the possibility of a distributed realization of a localiz- 
able scheduler at an abstract level. Based on these lemmas the next section then 
presents a real implementation for the scheduler. 

We begin by distributing the task of a localizable scheduler S to each process. 
The game between S and a given adversary A in DefinitionHwill be played by 
the local schedulers and A. A local scheduler for process p can be obtained from 

5 by simply restricting it to the portion of input relevant to p, as defined below. 

Definition 6. Let S' be a nonblocking scheduler for IS = (P, I, M). A function 

Sip: run* (IS) ^ I U {e} is an S’s restriction to p if SJ,p( 7 r) = x ^ e implies 

S( [tt] ) = X and p € Px- 

The game between the local schedulers and an adversary proceeds by letting 
the adversary schedule some processes to be ready for interaction, and then 
activating some local schedulers to schedule an interaction for their processes, 
and so on, as defined below: 

Definition 7. Let S be a nonblocking scheduler for IS = (P, I, M), and let S = 

{ 5 ip \p G P} be a set of restrictions. Define a trace t to be a sequence t = 

P1.1P1,2 ■ ■ ■Pi,m, ■ • ■ ,Pi,iPi,2 ■ ■ ■Pi,m, ■ ■ ■ such that each pi^k G P- Then, given an 
adversary A, the result of the S versus A game generated by this trace up to 
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round i, step j, where 0 < j < and uq = 0, is defined by 

re : i = j = 0 

4'\S,A) = \d]-^-^'-\S,A)-A{dr^'^^-\S,A)) : z > 0, j = 0 (1) 

[dt^ ^{S,A)-Slp,^^{dl’^ ^(5,^)) : i > 0, 1 < j < Ui 

The run generated by S versus A, denoted by dt{S, A), is the result of the game 
proceeding in the maximum number of rounds and steps. When no confusion is 
possible, we drop the subscript t from d\’\S, A) and dt{S, A). 

In the above definition, the sequence Pi,iPi ,2 ■ ■ -Pi,ni is referred to as the ith 
segment oft, and the local scheduler is said to be aetivated in round i, 

step j of the game. Note that by the definition it is easy to see that the sequence 
d^d(^S,A) represents a run, and every interaction in ^*’■^ (5, A) is S'-admissible. 

To illustrate the game, consider the interaction system shown in Fig.^ Let 
S' be a nonblocking scheduler that schedules the least-executed-interaction for 
execution; tie is broken arbitrarily. Furthermore, let each S|p;, 1 < i < 4, 
be a restriction of S such that if there is some x satisfying S([7r]a,) = x and 
Pi S Px, then SJ,p^(7r) = x; and if there is more than one interaction satisfying 
the condition, then S|p^(7r) returns the least executed one. Again, tie is broken 
arbitrarily. Suppose d^''^{S,A) = p\p^p 2 PA- Assume all four local schedulers are 
activated in the order of S|pj, S|p 3 , Slp^, and SJ,p^. Consider first A), 

which by definition is . Sip^ (piP 3 P 2 P 4 )- Since -Sipi (P 1 P 3 P 2 P 4 ) = X 12 , 

dLi(5^A) = piPsP 2 PaXi 2 - Then, since S [p,^{piP3,p2PAXi2) = 3^34, = 

PiPzP 2 PaX\ 2 Xm- Since no more interaction is enabled, d^’^{S,A) = A) = 

d^’^{S,A). 

One may have observed a “centralization” nuance in Definition J that the 
input to each local scheduler is the global run. As we shall see shortly in this sec- 
tion, the restriction imposed on local schedulers makes it no difference whether 
the input is local or global. 

Definition 8. Let S' be a nonblocking scheduler for IS = (P, I, M), and let S = 
{S|p Ip G P} be a set of restrictions. Given dt{S,A), the trace t is advertent if 
dt{S, A) is complete and no nonempty subset of P is S-neglected in dt{S, A). The 
set of advertent runs of S versus A, denoted by AR(S, A), is the set of complete 
runs 



A) = <^dt(S,A) 



t is advertent. 



Since every interaction in dt{S,A) is S-admissible, the following lemma fol- 
lows immediately. 

Lemma 3. Assume that C is localizable for IS = (P, I, M). Let S be a localizable 
seheduler for IS satisfying C, and let S = {S|p \ p G P} be an arbitrary set of 
restrietions. Then, for every adversary A, AR(S, A) C C|IS]. 

In the following we present a scheme — our main lemma of the paper — to 
guarantee advertent traces. Based on this scheme a real distributed implemen- 
tation for any given localizable semantic constraint will then be presented in 
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the next section. The lemma statement is somewhat complex, and so some com- 
ments have been placed inside the lemma to help understand the lemma. The 
proof will be given in the full paper. 

Lemma 4. Let S be a nonblocking scheduler for IS = (P, I, M), S = {S'J.p \p G 
P} be a set of restrictions, A be an adversary, t be a trace, and C = {c{p, i)\p G 
P,i G N} be a set of integers. In the game that generates dt{S,A), associates 
with each p G P in round i the integer c{p, i) such that c{p, i) is referred to as 
the age of p in round i; the larger the value, the younger the process. The ages 
of the processes satisfy the following two conditions: 

— c{p, i) yf c{q, i) if p ^ q; that is, processes’ ages are distinct in each round. 

— c(p, i) = c(p, z -b 1) if p is ready in round i (immediately after step 0 of the 
round), and remains ready in round z-l- 1; that is, p’s age remains the same 
in a ready state. 

Let Pi,iPi ,2 ■ ■ -Pi,ni be the ith segment of t. Then, t is advertent if the following 
three conditions are satisfied during the game: 

1. A process p’s local scheduler is activated at most once from the time p enters 
a ready state until the time it leaves the state. Moreover, ifx becomes enabled 
in round i and p is the youngest process among in round i, then p ’s local 
scheduler will be activated (in round i or some round afterwards) . 

Remark. The condition implies that if x is disabled because some partici- 
pant p has executed a conflicting interaction, then when p is ready again to 
enable x, if all the other participants of x remain ready for x and their local 
schedulers have been activated (since last time x is enabled), then p’s age 
must be the youngest among P^. 

2. For each pair (i,j), 1 < j < zzi, if there exists an x satisfying the following 
condition 

Pij G Px, 7l)]p^) = X , and c{pij,i) = max{c(p, z) \ pG P^}, 

then S {d'’’^~^{S, A)) = x. Otherwise S {d'’’^~^{S, A)) = e. If more 
than one interaction satisfy the above condition, then Slp^_^ can return any 
one of them, except that if infinitely often Slp^^^ can return some x, then x 
must be executed infinitely often in the run. 

Remark. The condition implies that ifx is enabled, then only the scheduler 
of the youngest process in Px can establish x. 

3. For each pair (i,j), 1 < j < zzj, if Slp^_^{d’‘'^~^{S, A)) = x for some x ^ e, 

then for all y G I such that Px O Py ^ % and 7l)]p^) = y, if 

c{p, i) = max{c(( 7 , i)\q G Py}, then either p = pij or p ^ Px. 

Remark. The condition implies that while an interaction y remains enabled 
and p is the youngest process in Py, no other scheduler except the scheduler 
of p can schedule p to execute an interaction. 

It should be noted that some trace t may cause conditions 2 and 3 of the 
lemma to conflict. For example, assume a system of two interactions a;i 2 and 
3^23, where Px^^ = {Pi,P 2 }, and Px^^ = {p 2 ,Ps}- Suppose for some given tt, 
‘5'(['^]pxi2 ) “ ^12 and S'( [tt] ) = a;23, and pi and p2 are the youngest pro- 
cesses in Px ^2 and Px 23 J respectively, up to the end of tt. If pi’s scheduler is 
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activated before p2, then, by condition 2 pi’s scheduler must choose x\2, while 
by condition 3 Xi2 cannot be chosen. On the other hand, no conflict occurs if 
P2’s scheduler is activated before pi. In this case, p2^s scheduler must establish 
X23 because pi is younger than p2 and so by condition 2 p2’s scheduler cannot 
establish Xi2- Once 0:23 is established, all interactions are disabled, leaving pi’s 
scheduler no choice but to establish an empty interaction. 

We have described how interactions can be scheduled locally in an abstract 
level so that the overall run rendered by the processes is valid. Still, the game 
defined in Deflnition^between local schedulers and a given adversary is in some 
sense “centralized.” This is because the input given to each Slp^^ is the entire 
global run proceeds so far. To make the game really “distributed”, each local 
scheduler should be concerned with only the portion of the global run relevant 
to its scheduling. Fortunately, the restriction imposed on local schedulers makes 
it no difference whether the input is the entire global run or only the relevant 
portion. What needs to be taken care of is to ensure that the combined effect of 
independent local scheduling yields an advertent trace, and this is exactly why 
Lemmanis conceived. 

Finally, before presenting a real implementation for the local schedulers, we 
need a way to combine projections. Let . . . , be a set of pro- 

jections of (fi. The join p of Fp (with respect to p) is the projection 
It follows directly that VI < i < m : [p]p. = [<p\pi- For example, consider 
Fig -0 ’’’2 = P1P2X12P2 and 713 = P3P4X33P3 be the projections of p2 

and P3, respectively, in ip = piP2Xi2P3P4X3AP2P3Pi- Then the join of {712,713} 
is PiP2Xi2P3P4X34P2P3- Note that, in general, different runs may yield the same 
projection. So given a set of projections V^p = {[v^Jpi, ■ ■ ■ , Vp]pm\^ ii" is virtually 
impossible to compute their join without the knowledge of p. For example, 7T2 and 
7T3 are also the projections ofp2 andp3, respectively, in p' = piP3P2Xi2P2P4X34P3- 
So P1P3P2X12P2P4X34P3 is the join of {712,713} with respect to ip'. However, the 
join p of {[(^]pj, . . . , [</ 5 ]p„,} with respect to p cannot include any action not in 
the projections [<^]pi, . ■ . , [v’lpm- So, if we know the relative order of the actions 
in the projections (e.g., by timestamps), then we can still compute their join 
without the complete knowledge of p. 

5 A Real Implementation 

Based on the results in the previous section we now present a general distributed 
algorithm to implement semantic constraints that satisfy the localizability and 
equivalence-robustness criteria. By this we mean augmenting each process in an 
interaction system with variables and actions, and possibly introducing auxiliary 
processes, so that the resulting computations satisfy a given semantic constraint. 
Due to the space limitation, we shall only highlight the main ideas. The complete 
code and its analysis will be given in the full paper. 

Let C be a localizable semantic constraint on IS = (P, I, M), and let S' be a 
localizable scheduler satisfying C. In the implementation we pair each process 
Pi S P with a coordinator process Coordi, which pi “activates” upon entering a 
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ready state. Coordi acts as a local scheduler for pi by simulating the scheduling of 
some S’s restriction to pi. Processes communicate exclusively with coordinators 
and vice versa. We assume that communication is by reliable FIFO message- 
passing. 

In the light of Lemma | we must ensure that the overall run rendered by 
IS is equivalent to some dt{S,A), where S is the set of restrictions simulated 
by the coordinators, A is an adversary of IS, and t is an advertent trace. To 
do so, when Coordi is activated, it chooses an interaction x from pi.aim, and 
attempts to establish x by capturing the processes in P^. When all processes 
are captured, Coordi computes the global run viewed by the participants of 
X. By this “global” run we mean the computation in which events (concerning 
only processes’ readiness and their interactions) are ordered by their logical 
timestamps. Note that this run may not be the same as the one that is observed 
outside the system (i.e., the run where events are ordered by the universal time at 
which they take place.) However, the logical clocks maintained by the processes 
guarantee that the two runs are equivalent. Since C is equivalence-robust, it 
suffices to ensure that the global run envisaged by the processes is valid. We 
shall use a to denote this global run. 

We do not need each pj to maintain a copy of a. Instead, pj maintains only 
its local view of a, which, as shall be clear, corresponds to pj’s projection in 
a. The local view is built incrementally by a variable (3j as follows. Initially, 
(dj = e. When pj becomes ready, it appends the ready transition pj.aim to 
(dj. The timestamp of the ready transition is taken from pj's logical clock at 
which the action occurs. Logical clocks are maintained through timestamped 
message-passing as described in When a coordinator Coordi attempting 
X has captured all processes in P^, it computes the join tt of {fdj \pj € Px}, 
and checks if ^(Tr) = (Note that tt = [ajp,,,.) If so, Coordi has successfully 
established x for pi. It then releases all processes it has captured and directs them 
to execute x by informing each pj to update its jdj to tt ■ x, where x’s timestamp 
is given by Coord^s logical clock at the time it establishes x. If <S'(7r) ^ x, 
Coordi aborts its attempt on x by releasing all processes it has captured except 
Pi, which will still remain captured by Coordi. Coordi then attempts another 
interaction in pi.aim for pi. If all interactions have been attempted, then Coordi 
stops its coordination activity and releases pi, which can now be captured by 
other coordinators. Note that in the above Coordi will also abort its attempt on 
X if it fails to capture a process in Px. 

The way that each (dj is maintained guarantees that at any time instance 
fdj = [a]py As time proceeds ad infinitum, so long as we can guarantee that 
a corresponds to some dt{S,A) defined in DefinitionHsuch that the trace t is 
advertent, then by Lemmata is valid. To relate a with dt{S,A), we assume 
that an activated coordinator Coordi establishes an empty interaction if it fails 
to establish any interaction for pi. The timestamp of the empty interaction is 

® Because each fdj is the projection of the global run a where actions are ordered by 
their timestamps, the join of {fdj \ pj £ Px} can be computed without the complete 
knowledge of a; see the comment at the end of Section^ 
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given by the time Coordi stops its coordination activity. So the relative order of 
the coordinators’ scheduling in dt{S, A) is distinguished by the time they finish 
their coordination activities (either because they have established a nonempty 
interaction or because they have failed to do so). 

Recall that LemmaH provides a scheme to guarantee an advertent trace. To 
apply the lemma, we use the timestamp of pi’s ready transition to implement 
Pi’s age in the ready state pi enters. (Timestamps are made unique by addition- 
ally considering process id’s.) The age of a coordinator Coordi is taken to be 
the same as the age of pi . Before describing our techniques for coping with the 
three conditions of the lemma, we must note that coordinators may be activated 
concurrently and therefore attempt to establish interactions at the same time. 
So a necessary condition to apply Lemma Jis to guarantee that conflicting in- 
teractions cannot be established simultaneously. The main techniques used in 
the implementation are summarized below. 

1. A process can be captured by only one coordinator at a time. 

2. Upon activating Coordi, pi is immediately captured by Coordi and remains 
captured until Coordi stops its coordination activity. 

3. An activated coordinator Coordi will not stop its coordination activity until 
either it has established an interaction, or for each x G pi.aim Coordi has 
failed to capture a process in an attempt to establish x. 

4. A coordinator Coordi is only allowed to capture older processes (except pi, 
which has the same age as Coordi). 

5. A coordinator Coordi attempting to capture pj to establish x can fail only 
if (a) Pj is not ready for x, or (b) Coordi is older than pj. 

6. Two or more coordinators seeking to establish interactions involving a com- 
mon process are said to conflict. Specifically, a conflict arises when a co- 
ordinator attempts to capture a process that already belongs to another 
coordinator. Conflicts are resolved in favor of older coordinators to prevent 
a coordinator from being locked out from capturing processes. That is, we 
let the older of the two coordinators capture/retain the process p under con- 
tention. The younger coordinator has then to wait until p is released by the 
older coordinator. 

7. A coordinator Coordi attempts the interactions in pi.aim in a round-robin 
style: if Coordi has successfully established x, then x will be placed into the 
end of the attempt list (which is initialized arbitrarily) so that when next 
time Coordi is activated, it will not attempt x until all other attempts have 
failed. 

In the following we informally argue why these techniques are useful to guar- 
antee the three conditions of LemmaH thereby ensuring that all computations 
of the system satisfy C. A more formal proof will be given in the full paper. 
First of all, technique 1 guarantees that conflicting interactions are not estab- 
lished simultaneously. Next, consider the first condition of LemmaH There are 
two clauses in the condition. Observe that techniquesnandjguarantee that no 
other coordinator Coordk can successfully capture pi while pi is being captured 
by Coordi'. If Coordk is older than pi then it is not allowed to capture pi. If 
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Coordk is younger, then it is also younger than Coordi because Coordi has the 
same age as pi. So Coordk must wait until Coordi has finished its coordination 
activity and released pi. By technique ^ then, immediately after pi activates 
Coordi, no other coordinator can capture pi until Coordi has stopped its coor- 
dination activity. The fact that a process activates its coordinator only once in 
a ready state, and that a coordinator establishes at most one interaction for its 
process per activation then ensure that a process’s local scheduler is activated 
exactly once in a ready state. So the first clause of the condition is satisfied. 

Based on the first clause, the second clause can be derived by showing that 
if X is enabled immediately after some process p & Px enters a ready state, 
then it cannot be the case that p is not the youngest process in and the 
coordinator of the youngest process in Px has stopped its coordination activity. 
To see this, technique ^guarantees that if a coordinator Coordi fails to establish 
X, then some pj G Px must have rejected Coordi s capture request. By the logical 
clock adjustment, when pj receives Coordi s capture request, p^’s clock must be 
advanced to a value greater than Coordi’s (and thus pi's) age. By technique^ 
for Pj to reject Coordi s capture request, either pj is not yet ready for x, or pj 
(and thus Coordj) is younger than Coordi. Note that here it suffices to consider 
the former case, because in the latter case pj is in a ready state and by the 
implementation pj must activate Coordj regardless of whether it is the youngest 
process in Px or not. For the former case, it is clear that pj must obtain an age 
younger than pi when it enters a ready state. So the second clause is satisfied. 

For condition 2, techniques'^] andHand the fact that coordinators will not 
cyclicly block one another from capturing processes (see technique^ ensure that 
at any given point if >S([a]p,^) = y, then the youngest coordinator, say Coordi, 
among { Coordk '■ Pk G Py} will establish y, unless some other coordinator Coordj 
has concurrently established a conflicting interaction z. In the later case, let p 
be a process in Py n Pz. By technique H C'oord/ will not give up capturing p 
until p has rejected Coordi s capture request (because z has been established 
by Coordj). So Coordj will finish its coordination activity before Coordi does. 
By our ordering of coordinators’ scheduling, z is added to a before Coordi' s 
scheduling result is added (which may be an empty interaction). Note that by 
technique H Coord j must be the youngest coordinator among {Coordk ' Pk G 
Pz}. This means that, when viewing a as some dt{S,A) in LemmaJ if pij G 
Px, ^)]p„.) = X, and pij is the youngest process among Px, then 

S'lp; ^)) must not return an empty interaction. Moreover, technique^ 

guarantees that if there is another interaction x' satisfying the same condition 
(that pij G Px', A)]p ^, ) = x', and pij is the youngest process among 

Px') but the associated coordinator of pij chooses x, then when next time the 
same situation occurs the coordinator will favor x' . So condition 2 of Lemma | 
is satisfied. 

Finally, recall that techniques'^] andjguarantee that immediately after pi 
has entered a ready state and activated Coordi, no other coordinator Coordk can 
successfully capture pi until Coordi has finished its coordination activity. That 
is, Coordk's scheduling result is timestamped after Coordi’s. So if <S'([a]p„,) = x 
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and Pi is the youngest process in P^, then no other coordinator can capture pi 
until Coordi has attempted x. So condition 3 of Lemmajis satisfied. 

6 Conclusions 

We have presented a localizability criterion that allows local runs to be composed 
into a valid global run. Based on this criterion, we have presented a general dis- 
tributed algorithm to implement equivalence-robust semantic constraints. As 
we have shown, SIF“'' is localizable. Since SIF is stronger than most semantic 
constraints in the literature, most equivalence-robust semantic constraints are 
localizable as well. That is, they can all be distributedly implemented. (Note 
that SIF is not equivalence-robust, and cannot even be implemented by any 
centralized algorithm In particular, when interactions cannot contain in- 

teractions {y contains x \i x ^ y and Px C Py), we have shown in that SIF’*’ 
is the strongest implementable equivalence-robust semantic constraint one can 
impose on any system where processes interact by engaging in interactions. Our 
results in this paper then indicate that under such circumstances SIF“*" is also 
the strongest semantic constraint that can be distributedly implemented. 

Semantic constraints are often defined over an abstract model (like the one 
presented in Section ^ where the execution of interactions is assumed to be 
“atomic.” However, processes in the underlying system of execution are usu- 
ally asynchronous and so must synchronize in order to execute an interaction. 
So the paper is concerned with whether or not a semantic constraint can be 
(distributedly) implemented in the underlying system. Other issues related to 
global vs. local views of fairness have also been studied in the literature. Howell, 
et al. investigate how the global and local views of state fairness will af- 
fect the complexity and decidability of the fair nontermination problem (which 
concerns whether there exists an infinite fair computation) . They show that the 
problem related to local fairness is, in some cases, harder to analyze than that 
related to global fairness. Burkhard Q studies the effects of combination and of 
distribution for controls (i.e., an abstract scheduling) for multi-agent systems. In 
general, the effects of different individual controls cannot regard arbitrary global 
requirements, neither can the recombination of a distributed global control. Note 
that both papers study their problems in an abstract model as described above. 
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Abstract. We introduce a hypergraph-based process calculus with a 
generic type system. That is, a type system checking an invariant prop- 
erty of processes can be generated by instantiating the original type 
system. We demonstrate the key ideas behind the type system, namely 
that there exists a hypergraph morphism from each process graph into 
its type, and show how it can be used for the analysis of processes. Our 
examples are input/output-capabilities, secrecy conditions and avoiding 
vicious circles occurring in deadlocks. 

In order to specify the syntax and semantics of the process calculus and 
the type system, we introduce a method of hypergraph construction using 
concepts from category theory. 



1 Introduction 

In this work we propose a framework for the generation of type systems checking 
invariant properties of processes. We introduce a graph-based, asynchronous 
process calculus, similar to the polyadic 7r-calculus and give a generic 

type system for this calculus. Specialized type systems can then be generated by 
instantiating the original system. 

Type systems are a valuable tool for the static analysis of parallel processes. 
Applications range from checking the use of channels ^3^1 > confirming conflu- 
ence 33, avoiding deadlocks |3 and ascertaining security properties PQ. In 
all these cases, types are considered as partial descriptions of process behaviour, 
staying invariant during reduction. Furthermore a method for inferring proper- 
ties of a process out of its behaviour description is required. Generally types 
are computable and in some type systems there is a most general or principal 
type for every typable process, from which all other types of the process can be 
derived. The flip side to type systems is the fact that some correct processes may 
not be typable. 

Examining the type systems mentioned above, one can observe that they 
share similarities concerning the structure of types and typing rules. Our idea 
is to present a framework making a first step towards the integration of differ- 
ent type systems. The generic type system presented in this paper satisfies the 
subject reduction property, and we can guarantee absence of runtime errors for 
well-typed processes, the existence of principal types and of a type inference 
algorithm. 



Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 352 
@ Springer-Verlag Berlin Heidelberg 1999 



1999. 




Generating Type Systems for Process Graphs 353 



In order to type communicating processes, recursive types are essential. They 
can be represented in several ways: as expressions with a recursion operator /i 
(e.g. in ^3), as infinite trees ^3 or as graphs (for different representa- 

tions of recursive types for the A-calculus see We chose graph representation 
for types as well as for processes. This enables us to establish a close corre- 
spondence between processes and types: there is a graph morphism from each 
process into its type. Thus, if a type graph satisfies a property which is closed 
under inverse graph morphisms (e.g. absence of circles, necessary for deadlock 
prevention), it is also valid for the process and — because of the subject reduction 
property — for all its successors. 

Since in a general type system like ours the properties of a process which are 
to be analyzed are not fixed a priori, a close relationship between processes and 
their types is essential. Describing both processes and types by graphs seems 
a convenient method for allowing easy inference of process properties. This al- 
lows a systematic approach to obtaining correctness proofs for generated type 
systems. It is not clear to us how the same effect could be achieved by a string 
representation of processes. 

There are several papers describing various ways of representing processes by 
graphs 



in [tS ! w. 



Our method is closest to Q, but differs in several aspects, 
the most prominent being that we employ hierarchical hypergraphs. 

Pure graph structure (or hypergraph structure in our case) is ordinarily not 
sufficient to capture relevant properties of a process. We therefore enrich our 
types by annotating them with lattice elements, e.g. describing input/output- 
capabilities of ports or channels. Every set of mappings assigning lattice elements 
to nodes or edges of a graph is a lattice itself, and thus it is sufficient to assign 
only one lattice element to every graph. It is necessary to define, how these lattice 
elements behave under morphisms. This is described by a functor mapping graph 
morphisms to join-morphisms in lattices. It is not the only case where we make 
use of category theory. It also allows us to give an elegant definition of graph 
construction (related to Q) in terms of co-limits. 

The annotation of graphs with lattice elements is another argument in favour 
of the use of graphs. It is more convenient to add additional labels or structures 
to a type represented as a graph than to a type represented by a term. This 
point will become clearer in section J where we will assign lattice elements to 
pairs of nodes. 



2 Categorical Hypergraph Construction 

We work with a variant of graphs: so-called hypergraphs where each edge 
has several (ordered) source nodes. There are two kinds of labels: edge sorts and 
and edge labels. 

Definition 1. (Hypergraph) Let Z be a fixed set of edge sorts and let L he a 
fixed set of labels. A simple hypergraph G is a tuple G = (E, E, s, z, 1) where V 
is a set o/ nodes, E is a set of edges disjoint from V , s: E ^ V* maps each edge 
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to a string of source nodes, z: E —>■ Z assigns a sort to each edge and 1: E ^ L 
assigns a label to each edge. 

A hypergraph or multi-pointed hypergraph El = G[x] is composed of a sim- 
ple hypergraph G = {V, E, s, z,l) and a string x G 1^*. x called the string of 
external nodes. EXTh is the set of all external nodes in El . 

The components of a hypergraph El are denoted by Vh, Eh, sh, zh, Ih, Xh, 
while the components of a simple hypergraph G are denoted by Vc, Eg, sg, zg,Ig- 
Furthermore we define the arity of edges and hypergraphs as follows: ar(e) := 
\sH{e)\, if e G Eh, and ar(G[x]) := |xl- 

External nodes are the interface of a hypergraph with its environment and 
are used to attach hypergraphs. In the process calculus, which will be presented 
in section H we have two edge sorts, dividing the edge set into processes and 
messages, while the label of a process specifies its behaviour. In the rest of this 
paper we use both terms graph and hypergraph interchangeably 

The following definition of hypergraph morphism is quite straightforward. 
A morphism is expected to preserve graph structure, as well as edge sorts and 
labels: 



Definition 2. (Hypergraph Morphism) Let G, G' be two simple hypergraphs. 

A hypergraph morphism fr.G^G' consists of two mappings 4 >e'- Eg — > Eg>, 
(t>v' Vg — > Vg’ satisfying for all e G Eg ' 



</>y(sG(e)) = SG'(<('£:(e)) ZG(e) = ZG'ifjEie)) lGi,e) = lG’{4>E{.e)) 

We write (j) : G[x] — > G'[xT if (j) \ G ^ G' is a hypergraph morphism. 
4>v{x) = 4> is called a strong morphism and we write <f> : G[x] ^ G"[xT 

G[x] and G'[x'] are called strongly isomorphic (G[x\ = G'[x']) if there exists 
a bijective strong morphism from one graph into the other. 



Notation: 

We call a hypergraph discrete, if its edge set is empty, 
m denotes a discrete graph of arity m G IN with m 
nodes where every node is external (see (a), exter- 
nal nodes are labelled (1), (2), ... in their respective 
order) . 

H := Zn{l) is the hypergraph with exactly one edge e 
with sort z and label I where snie) = Xh, \xh\ = n, 
Vh = EXTh (see (b), nodes are ordered from left to 
right). 



(1) (m) 

(a) O ••• O 



(1) (n) 

9 9 




For the definition of the process calculus and its type system we need some 
basic concepts from category theory, namely categories, functors and co-limits. 
Detailed definitions can be found in Q. 

Since we want to associate hypergraphs with lattice elements, we need a 
functor between the following two categories: 

^ Each morphism can be extended to strings of nodes in a canonical way, i.e. 
fvivi ...Vn)= fvivi) . . . cj>v{Vn) 
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The category of hypergraphs (with hypergraph morphisms): The class 
of all simple hypergraphs (multi-pointed hypergraphs) forms a category to- 
gether with the (strong) hypergraph morphisms. 

The category of lattices (with join- morphisms): Let (/i,<i), (/2,<2) be 
two lattices with bottom elements J_i respectively J_2. For two elements 
ai, 5 i G Ii (02,62 G I2) let oi Vi 61 (02 V2 62) be the least upper hound or 
join of the two elements. 

A mapping t : Ii ^ I2 is called a, join-morphism iff t(oi V161) = t(oi) V2t(6i) 
and t(J-i) = J_2 

Type graphs are hypergraphs G[x] which are associated with a lattice ele- 
ment. A type functor F maps every type graph to a lattice F{G) from which this 
associated lattice element can be taken. The concept of hypergraph morphisms 
can be extended to type graph morphisms, from which we demand, that they not 
only preserve graph structure but also the order in the corresponding lattices. 

Definition 3. (Type Ftmctors and Type Graphs) A functor F from the 
category of simple hypergraphs into the category of lattices is called a type func- 
tor. 

T = G[x, o] where G[y] is a hypergraph and a G F{G) is called a type graph 
wrt. F. The class of all type graphs wrt. F is denoted by Tp. 

We write (j : G[y, o] ^ G'[x',o'] if (j) : G ^ G' is a hypergraph morphism 
and F{(j)){a) < a' . (j) is called type graph morphism. 

We say <f> is a strong type graph morphism if additionally <f>v{x) = x! 

F 

it is denoted by <f> : G[x, o] ^ G'[x^ o']. 

Two type graphs G[x,a], G'[x^a'] are called isomorphic (wrt. F) if there 
exists a strong isomorphism <f> : G[x] ^ G'[xT such that F{(j))(a) = a' . In this 
case we write G[x, a] =p G'[x^a']. 

Note: li H = G[x] we define H[a] := G[x, a]. 

Example: We consider the following type functor F: let (/, <) be an arbitrary 
lattice and let fc G IN. For any simple hypergraph G we define F{G) as the set of 
all mappings from {Vq)^ (cartesian product) into / (which yields a lattice with 
pointwise order). 

Let a : Vq ^ I, 4> : G ^ G', s' G Vp,. We define: 

F{4>){a) := a' where a'(s') := \J a(s) 

(j>v(s)=s' 

It is straightforward to check that F is indeed a type functor. 

We now introduce a mechanism for the construction of hypergraphs. Com- 
pared to string concatenation it is not so obvious how to build larger graphs 
out of smaller ones. We describe a construction plan with morphisms mapping 
discrete graphs into discrete graphs. This construction plan is then applied to 
hypergraphs by a co-limit construction. Our method is related to the double- 
pushout approach for graph rewriting described in Q. 
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If we define how to transform and sum up lattice elements, we can assemble 
type graphs in the same way. 



Definition 4. (Constrnction of Hypergraphs and Type Graphs) 

Let Hi, . . Hn be hypergraphs and let Q : nii ^ D, i G {1, . . . ,n} be hyper- 
graph morphisms where ar{Hi) = rm G IN and D is a discrete graph. There is 
always a unique strong morphism (j)i : mi -» Hi for every i G {1, . . . , n}. 



Let H ( with morphisms (p : D —> H , : Hi ^ H ) be 

the eo-limit of (i, . . . , 4>i, . . . ,(pn such that p is a 

strong morphism. We define: 

n 

(g)(i7„0) -H 

2=1 



nii ^ 

-H 




Let Ti = Hi[ai\, i G {1, . . . , n} be type graphs and let F be a fixed type functor. 
The construction of type graphs wrt. F is defined in the following way: 

<^{Ti,Ci) ■■= I <^{Hi,Ci) I [a] where a := \/ F{Q{ai) 
i=l \i=l / i=l 

Generally, co-limits do not necessarily exist, but they always exist in our 
case. The co-limit is unique up to isomorphism (i.e. bijective morphisms), but 
not unique up to strong isomorphism. Therefore we demand above that the 
morphism from D into the co-limit is a strong morphism and thereby determine 
the string of external nodes of the result. 

In order to clarify the intuition behind graph construction we give the fol- 
lowing two examples: 

Example 1: As stated above, the morphisms fi can be regarded as a construc- 
tion plan for assembling hypergraphs. The example in figurejwill illustrate this: 
we describe how to construct H below out of smaller hypergraphs Hi, H 2 , H^. 
In this case H = ^^^i(Hi, Q) (see the graphical description of Ci, C 2 , Cs below). 
Example 2: Let Hi,H 2 be hypergraphs with ar{Hi) = ar{H 2 ) = n. Then 
H 1 UH 2 := ®i^i{Hi,C,i) where ^ 1,^2 : n ^ n are the unique strong morphisms 
from n into n. That is H 1 OH 2 is constructed out of Hi,H 2 by fusing corre- 
sponding external nodes. 

Every hypergraph can be decomposed into hyperedges and has the following 
normal form: 

Proposition 1. (Graph Construction out of Hyperedges) Let H be a hy- 
pergraph. Then there exists a natural number n, sorts Zi, labels h and morphisms 
fi : mi ^ D (where i G {1, . . . , n} and D is a discrete hypergraph) such that 

n 

2=1 
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3 Process Graphs 

We are now ready to introduce the calculus: an expression in our process cal- 
culus is a hierarchical hypergraph. Edges are representing either processes or 
messages (since we present an asynchronous calculus we distinguish processes 
and messages) and nodes are representing ports. In the rest of this paper we use 
the names “port” and “node” interchangeably. 

Definition 5. (Process Graph) A process graph F is inductively defined as 
follows: P is a hypergraph with edge sorts Z = {proc, mess}. Edges with zp{e) = 
proc are ealled proeesses and edges with zp{e) = mess are ealled messages. 

Processes are either labelled \Q (Replication) or X^^\q (the process receives 
a message with n -|- 1 ports — one of it the send-port — on its k-th port and then 
behaves like Q ) where Q is again a process graph. Messages have at least arity 1 
and remain unlabelled (or are labelled with dummies). 

By definition, a message is sent to its last porj sendp{e) := \_sp{e)\ar{e) if 
zp(e) = mess. Process graphs have an intuitive graphical representation which 
will be introduced step by step. 

The most important form of reduction in our calculus is the reception of a 
message by a process, which means the replacement of a redex, consisting of 
process and message, by the hypergraph inside the process. 

Redex: Let P\ := proCm{l), P 2 ■= messn+i and let 1 < fc < m. Furthermore let 

Cl : m-> m-Hn with Ci(Xm) := LXm+nJi...m 

^ We define the following operator on strings: if s = ai . . . a„ is a string, we define 
(sj . — ai^ . . . . 
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C 2 :n+l^m + n with C 2 (Xn+l) := Lxm+njm+l...m+nfc 



We define Redk,m,n{l) '■= Ci)- 

Graphical representation: We draw mes- 
sages with dashed lines, thereby distinguishing 
them from processes. 

We favour reduction semantics in the spirit of the Chemical Abstract Ma- 
chine HM3ur calculus obeys the rules of structural congruence and reduction 
in table H = is the smallest equivalence which contains hypergraph isomor- 
phism and which satisfies the rules (C-ABSTR), (C-REPLi), (C-CON) and (C- 
REPLa). 

Note that runtime errors may occur if ar{P) ^ m + n in (R-MR) or ar{P) yf n 



(1) (k) (m) (m+l) (m+n) 



proc 



mess 



Pl = P2 



(C-ABSTR) 



Pl = P2 



prOCn{Xk-Pl) = proCn{Xk-P2) ^ proCn{\Pi) = proCn{\P2) 

Pi = Qi, i £ {1, . . . , n} 

prOCn{\P) = POprOCn{\P) (C-REPL 2 ) 



(C-REPLi) 



Redk,m,n{>^i"^ -P) ^ P (R-MR) 



Q = P, P^P', P' = Q' 
Q^Q' 



(R-EQU) 



Pi ^ Pi, {i^j => Pj = Pj) 



(R-CON) 



Table 1. Operational semantics of process graphs 

in (C-REPLa), i.e. if the left hand and the right hand side of a rule do not have 
the same arity, or if there is a mismatch in arities for the construction operator 

□ . 

Mobility of port addresses is inherent in rule (R-MR): For a process of the 
form proCm(A^"'\p) the arity of P should be m+n in order not to cause runtime 
errors. If such a process receives a message with n ports attached to it, the rules 
cause the first m external ports of P to fuse with the ports of the process, while 
the rest of the ports fuses with the ports of the message. In this way a process 
can gain access to new ports which means dynamic restructuring of the entire 
process graph. This feature is often called mobility 

Our calculus, as presented here, is closely related to the asynchronous, 
polyadic 7r-calculus without summation (see appendix^J. Asynchronous means, 
in this case, that the continuation of an output prefix is always 0, the nil process. 
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Example: In figureHwe give a small example, illustrating message reception in 
the calculus. Note that messages are drawn with dashed lines, all other edges are 
representing processes. The dashed arrow leading away from a message indicates 
the send-port of a message. The arrows leading to the source nodes of an edge 
are ordered from left to right. Furthermore the external ports inside a process 
abstraction which are going to be fused with the ports of a message are filled 
with grey. The corresponding expression in the 7r-calculus would be 

{va){vh){a{aia 2 ) .Q \ h{bi) .a{eibi) .Q \ 6(62). 0) 

where ei , 62 are the names representing external ports (the only free names) . 
(See also appendix H) 
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Fig. 2 . Example reduction 



4 The Type System 

We assume that F is a fixed type functor. It is one of two parameters of the 
type system, we will now specify the second: we need a method for mapping a 
process graph to a corresponding type graph. It is only necessary to describe 
this mapping for graphs consisting of one edge only. The extension to arbitrary 
graphs is straightforward. 

Definition 6. (Linear Mapping) Let L be a funetion whieh maps graphs of 
the form Zn{l) to type graphs in Tp, satisfying ar{L{zn{l))) = n. Furthermore 
we demand that 



Pi = P 2 ^ L{Pl) =F L{P2) 


(1) 


F 

3 (f) : mesSn[-^ L{messn) 


(2) 



Since proposition^implies that all hypergraphs can be constructed out of graphs 
of the form Zn{l) we can expand L to arbitrary hypergraphs in the following way: 

n n 

:-(g)(T(i?.),0) 

2=1 2=1 



L is well-defined and is called a linear mapping. 
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Condition Q in the definition of the linear mapping may seem somewhat out 
of place. It is however (together with condition Q below and rule (T-ABSTR)) 
essential to the proof of the subject reduction property (see proof sketch below). 
Both conditions ensure that nodes that might get fused during reduction are 
already fused in the type graph. 

The type system works with arbitrary linear mappings as long as they satisfy 
conditions ^ and Q . In practice, however, the structure of the graphs created 
by the linear mappings does not vary much (see also section^ and the important 
part in defining the linear mappings is to choose sensible lattice elements. 

We have now described the two parameters of the type system: the type 
functor F and the linear mapping L and the conditions imposed on them. The 
typing rules in tabled describe how a type can be assigned to an expression, 
Pc>G[x, a] meaning that the process graph P has type G[x,a\. We demand that 
in G every port is the send-port of at most one message, i.e. G satisfies: 

e,e' G Eg, zcie) = zcie') = messc, sendee) = sendcie') e = e' (3) 
The main motivation behind the typing rules is to ensure that there exists a 

F . 

morphism L{P) T, if P t> T, and that the subject reduction property holds. 
The former is ensured by the morphisms in rules (T-PROC), (T-MESS) and 
(T-CON) and the latter is mainly ensured by typing rule (T-ABSTR). In (T- 
ABSTR) we demand the existence of a message in the type graph which implies, 
with conditions Q and Q, that, in the type graph, the images of ports attached 
to any message arriving at the fc-th port are already fused with the images of the 
last n ports of P. (T-CON) checks that all parts of a hypergraph are typed and 



F 

lt>G[x,a], 3(j} : L{proCn{l)) ^ G{x,a] (T-PROC) 
procn(l) o G[x, a] 



L{messn) G[x,a] (T-MESS) (T-REPL) 

mesSn>G[x,a] 



Pl>G[x,a], 3(ji : messn+i ^ G[Yx\m+i...m+nk], \x\=rn + n 

■P^G[[x\i...m,a] 



(T-ABSTR) 



3(ji-. G[x], 0 : mi ^ D, Pi t> G[<?l(Ci(Xmi)), a], iG{l,...,n} 

0"=i(Pi,Ci)>G[x,a] 



(T-CON) 



Table 2. Typing Rules 

that their types overlap at least in the corresponding external ports (they may 
overlap in other places as well). (T-REPL) states that we can produce copies of 
a process without changing its type since all copies are represented by the same 
part of the type graph, and the join operation in lattices is idempotent. 
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Condition iQ can not be satisfied if there are messages with a different num- 
ber of ports sent to the same port. It therefore ensures that the arities of expected 
and received message match and thus avoids runtime errors. 

The type system satisfies the properties listed below. 

Proposition 2. (Properties of the Type System) 

Subject Reduction Property: P>G[x,a], P Q ^ Q>G[x,a] 
Runtime Errors: P > G[x, a] implies that P will never cause a runtime error. 

Morphisms: Pt>G[x,a] => 3cj) ■. L{P) ^ G[x,a] 

Principal Types: If P is typable then there exists a principal type graph 
P t> G[x, a] with 

- (t> ■ G[x, a] ^ G'[x\ a'] implies Pt>G'[x\ a'] 

F 

— Pt>G'[x',a'] implies the existence of <f> : G[x,a] -» G'[x',a'], where <f> is 
a strong morphism 

And there exists a type inference algorithm constructing the principal type 
graph for every process graph, if it exists. 

In order to expose the intuition behind the type system we show that reduc- 
tion of a process does not change its type. In order to unravel the typing and to 
be able to trace it backwards, we need the following non-trivial lemma: 

Lemma 1. Let ff) i> G[y, a] with Q : mi — > D. Then there is a strong 

morphism <f> \ D ^ G[x\ such that for all i ^ {1, . . . ,n} : Pi\> G[4>{C,i{xm.f)) , a] 

We now demonstrate how to prove the subject reduction property in the case 
of (R-MR): 

Proof Sketch (Subject Reduction Property): Let Redk,m,n{^k-Q)^G\X: a] . 
It follows with lemma^^that 

proCm{Xk-Q) i> G[\_x\ 1 . . .m : 1 messn+i > G[lx\m+l...m+nk,a] 

Since proCmi^k-Q) was typed with (T-PROC) and (T-ABSTR) it follows that 
there exists a y' G such that 

Q > G[LxJ 1 . . .m ox', a], messn+i G[x'o[xJfc] 

And since Q) and (T-MESS) imply that 

F F 

mesSn+i[L] L{messn+i) G[[x\m+i...m+nk,a] 
it follows with condition B that x' = [x\m+i...m+n and therefore Qt>G[x, a]. 

We now describe how the type system can be used for verification purposes: 
we introduce two predicates X and Y where X is a predicate on type graphs 
and y is a predicate on process graphs. We want to show that Y is an invariant 
with the help of X. 
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Proposition 3. (Process Analysis with the Type System) Let Y be a 

predicate on process graphs and let X he a predicate on type graphs of the form 
G[x,a\. We assume that X,Y satisfy 

X{L{P)) ^ Y{P) (4) 

<p-.G[x,a]^G'[x\a'], X{G'[x' ,a']) ^ X{G[x,a\) (5) 

i.e. X is closed under inverse hypergraph morphisms. 

ThenP>G[x,a] and X{G[x,a]) imply Y {Q) for all P Q . 

A full type system is determined by four components: the type functor F, a 
linear mapping L and the two predicates A, Y . 



5 Examples 

In the following examples we use a rather restricted linear mapping L with 

L{proCn{l)) =F n[op] L{messn) =f messnlam] 

for lattice elements Op, am, yet to be determined. That is, in this case, type graphs 
consist of messages only. Furthermore we use the type functor F introduced in 
the example after definition H The simplest version of this type system, where 
every lattice consists of one element only, corresponds to standard type systems 
for the TT-calculus with recursive types, but without let-polymorphism 

In all of the following examples the predicate X is preserved by inverse hy- 
pergraph morphisms. 



5.1 Input/Output-Capabilities 

We want to ensure that some external ports are only used as input ports (i.e. for 
receiving messages) and that some are only used as output ports (i.e. for sending 
messages). For F we choose k = 1, I = {Y, in, out, both} where Y < in < both 
and _L < out < both and in V out = both. The linear mapping L is defined in the 
following way: 



L{proCm{l)) 

L{messn) 



= n[ap] where ap{[x\i) 
= messn [cm] where Om 



in if I = n G IN 

_L otherwise 



(LxJi) = 



out ii i = n 
_L otherwise 



Since the only nodes of procn and mesSn are external, it is sufficient to define 
Op and Qm on the respective string y of external nodes. 

We want to ensure that P will never reduce to a process graph P' where a 
message is sent to [ypji. The corresponding predicate X is: 



X{G[x,a\) := (a([yji) < in) 



Generating Type Systems for Process Graphs 363 

If we replace in by out in X we can conclude that P will never reduce to a 
process graph P' where a process listens at [xpJi- 

A similar version of this type system is presented in 

Typing the example process graph from section^ (figure H yields the prin- 
cipal type in figure left). This implies that the first external part is not used 
for any 1/ 0-operations at all, while the second external port is only an output 




Fig. 3. Types for process graphs (input /output, secrecy, deadlocks) 



5.2 Secrecy of External Ports 

We assume that the external ports of a process graph can have different levels of 
secrecy. They might either be public or secret. Both sorts of ports can be used 
to send or receive message, but it is not allowed to forward a secret port to a 
receiver listening at a public port. 

We choose fc = 2, / = {false, true} where {false, true} is the boolean lattice 
with false < true. If a tuple (ui, V 2 ) is associated with true, this means that the 
port V 2 is sent to vi. The mapping L has the following form: 



L{proCm{l)) = n[op] where ap{[x\i, [x\j) = false 



L{messn) = messn[am] where am{[x\i, [x\j) 



( true if z = n, j yf n 
( false otherwise 



Let P be a process graph and we assume that the sets SEC and PUB form a 
partition of {1, . . . , ar(P)}. If the type of P satisfies 



X{G[x,a\) := (Vz G PUB,j G SEC: a{[x\i, [x\j) = false) 



it follows that no message, with secret ports attached to it, is ever sent to a 
public port. In this case typing the example process graph yields the principal 
type in figure J (middle) , where an arrow from port V 2 to v\ indicates that 
a{vi, V 2 ) = true. The predicate X is not satisfied only in the case where the first 
external port is secret and the second external port is public. In all other cases, 
the process graph is well- typed. 

I presents a related method for checking the secrecy of ports. 



5.3 Avoiding Deadlocks 

We attempt to avoid vicious circles of processes and messages waiting for one 
another and causing a deadlock. Let P be a process graph with a non-empty 
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edge set such that there is no process graph P' with P ^ P' and (C-REPL2) is 
not applicable, i.e. P is stuck. Then at least one of the following conditions is 
satisfied: 



( 1 ) There is a message waiting or a process listening at an external port. This 
case is good-natured, since P is only waiting to perform an 1 / 0 -operation. 

(2) There is an internal port where all edges connected to it are either messages, 
sent to this port, or processes listening at this port. 

(3) There is a vicious circle, i.e. a sequence vq,...,Vu = vq G Vp such that 
for every pair Vi,Vi+i there is either a message q with sendp{q) = Vi and 
[sp((?)J j = Vi+i for some j G { 1 , . . . , ar{q) — 1 } or a process p with lp{p) = 

[sp{p)\k = Vi and [sp{p)\j = Vi+i for some j G {1, . . . , ar(p)}, 

j + k. 



Our aim is to avoid circles as described in (3). We set k := 2 and / is again 
the boolean lattice with false and true. We define: 



L{proCm{l)) = n[op] where ap{[x\i, [x\j) 



true if I = X^f'\P,j ^ i, n G IN 
false otherwise 



L{messn) = mess„[am] where a„([xji, \_x\j) 



J true a i = n, j ^ n 
1 false otherwise 



X{G[x, a]) := (,3ro, . . . ,Vn = vo G Vq ■ a{vi, ri+i) = true, 0 < i < n) 

In this case we can retrieve the principal type of our example process graph 
rather easily from the type in section ^3 All we have to do is add the arrows 
(with filled arrow heads) produced by Op (see figure J (right)). 

Since there is no circle of arrows we can conclude that the process graph will 
(during its reduction) never contain a vicious circle as described in (3). 

Similar methods for avoiding deadlocks are presented in 



5.4 Composing Type Systems 

We asumme that we have two type systems, with functors Fi, F2, linear mappings 
Li, L2, predicates Xi, X2 on type graphs and predicates Yi, Y2 on process graphs. 

We define a functor F with F{G) := {h x I 2 , <) if Ti(G) = (It, <i), i = 1,2 
and (ai,fl2) < (0^,0^ ai <1 a[ and 02 <2 02- 

Furthermore F((/i)((ai, 02)) := {Fi{ 4 >){ai), F 2 { 4 >)(a 2 )) 

Furthermore let L{P) := G[x, (01,02)] if Li{P) =p^ G[y, oi] and L 2 {P) =f 2 
G[x, 02]. This requires, of course, that Li and L2 map process graphs to type 
graphs of the same structure. This is actually not a severe restriction since all 
practical examples can be defined in such a way that they satisfy this condition 
(see the examples in this section). 

We define Aa(G[x, (01,02)]) := Ai(G[x,oi]) A A2(G[x,02]) 

X\/{G[x, (01,02)]) := Ai(G[x, oi]) V A2(G[x, 02]) 

Then F, L, Y1AY2 respectively F, L, Ay, Y1VY2 denote type systems checking 
the conjunction respectively disjunction of Yi and Y2- A type system checking a 
negated property can only be constructed in very special cases. 
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6 Conclusion and Comparison to Related Work 

Several type systems for process calculi have been proposed, each checking dif- 
ferent properties of processes, e.g. 1/ 0-capabilities confluence secrecy 
in security protocols Q or deadlock-freedom This paper is an attempt to 
integrate these approaches and to propose one single generic type system which 
can be instantiated in order to verify invariant properties of processes. Our type 
system seems to be especially well-suited for properties related to the geometry 
of processes and messages represented in the process graph. 

In [£] Kohei Honda proposes a general framework for type systems, satisfying 
the condition of strict additivity, i.e. two process connected to each other via 
several ports can be typed if and only if connections via one port only can be 
typed. As Honda remarks in his paper, strict additivity is sometimes too strong, 
e.g. in the case of deadlock-freedom. The type system presented in this paper is 
semi-additive, i.e. the “if and only if” is replaced by “only if”. In contrast to Q 
our method of instantiation is restricted, but this enables us to prove the subject 
reduction property for all possible type systems. 

There is, of course, a trade-off between generality and the percentage of 
processes which can be typed: e.g. in the case of I/O-capabilities our type system 
is less powerful than the type system introduced in which can partly be 
explained by the very general nature of our type system and partly by the fact 
that the type system in does not have principal types. 

We believe, however, that this type system can serve as a starting point for 
further research. 

We will finish by dicussing two existing extensions of this type system which 
we were not able to present here due to limited space: 

— Sometimes labelling processes with lattice elements does not seem to be 
sufficient. E.g. if we want to type confluent processes typing involves 
the counting of processes and messages adjacent to a certain port. (In this 
case we have to demand that there is at most one process listening and at 
most one message waiting at a certain port.) Counting is also necessary if we 
want to design a type system checking (2) in the conditions for deadlocks 
or if we attempt to introduce linear types as in 

An extension of our type system is based on latttice-ordered monoids rather 
than on lattices. 

— It is not very difficult to extend the process calculus to a calculus where 
higher-order communication is possible, i.e. where entire processes can be 
sent as the content of a message. The corresponding extension of the type 
system is not very hard. 

We have to add environments, describing the type of the variables in a pro- 
cess graph. Furthermore it is necessary to slightly change the linear mapping 
L and rule (T-ABSTR). 

Another future area of research is the use of the results of the type system in 
order to establish bisimilarity of processes (as in Q). 
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A Process Graphs and the Asynchronous Polyadic 
TT-Calculus 

In order to show how process graphs are related to the yr-calculus we give an encoding, 
transforming a subset of all process graphs to expressions in the asynchronous polyadic 
TT-calculus. 

Definition 7. (Encoding) Let P be a proeess graph such that yp is duplicate-free, 
i.e. lxp\i = [Xp\i implies i = j. And we assume that the same condition is satisfied 
for all process graphs occurring inside of P . Let M be the name set of the n-ealculus 
and let t G A/”* such that |t| = ar{P). We define &t{P) inductively as follows: 

Message: ©ai ...a„ (mess„) := oT(ai • • • an-i)-0 
Replication: 0t{proCm{\P)) ■. — \0t{P) 

Process Abstraction: 0a^...amipi'oCm{\^^\P))) := ak{xi . . . x„).0ai...a„,xi...x„{P) 
where xi, . . . , x„ € Af are fresh names. 

Process Graph Construction: 

©t(0r=i(A,Cd) := {y p{Vd\EXTo)){0^^Mx^^)){P^) I ... I ©m(C„(x„„))(A)) 

where (i : mi D, i £ {1, ... ,n} and p : Vd ^ N is an arbitrary mapping such 
that p restricted to Vd\EXTd is injective and p{xd) = t. 

If n = 0 (i.e. if the process graph is identical to D) we set ©t((Sli=i (A, CO) 0. 

The set of all process graphs satisfying the condition in the definition above is closed 
under reduction and corresponds exactly to the asynchronous part of the polyadic 
TT-calculus without summation. (We rely on the syntax and semantics given for its 
synchronous version in omitting sort annotations.) 

Proposition 4. Let p be an arbitrary expression in the asynchronous polyadic tt- 
calculus without summation. Then there exists a process graph P (satisfying the condi- 
tion in definitior!^^ and a duplicate-free string t £ Af* such that 0t{P) = p. 

Furthermore for process graphs P, P' satisfying the condition in definitiorU^^ and 
for every duplicate-free string t £ Af* with \t\ = ar(P) — ar(P') it is true that: 

— P = P' implies 0t{P) = 0t{P') — P ^ P' implies 0t{P) — > 0t{P) 

— 0t{P) — > p withp 7 ^ wrong implies that there exists a process graph Q with P —> Q 
and 0t{Q) = p 

The proposition implies that one calculus can match the reductions of the other step 
by step. The main difference of the calculi lies in their interface towards the environ- 
ment. How these interfaces are converted into one another is described by the string 

t. 
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Abstract. We prove that weak bisimilarity is decidable in polynomial time be- 
tween BPA and finite-state processes, and between normed BPP and finite-state 
processes. To the best of our knowledge, these are the first polynomial algorithms 
for weak bisimilarity with infinite-state systems. 



1 Introduction 

Recently, a lot of attention has been devoted to the study of decidability and complexity 
of verification problems for infinite- state systems We consider the problem 

of weak bisimilarity between certain infinite-state processes and finite-state ones. The 
motivation is that the intended behavior of a process is often easy to specify (by a finite- 
state system), but a ‘real’ implementation can contain components which are essentially 
infinite- state (e.g. counters, buffers). The aim is to check if the finite-state specification 
and the infinite-state implementation are semantically equivalent, i.e. weakly bisimilar. 

We concentrate on the classes of infinite- state processes definable by the syntax 
of BPA (Basic Process Algebra) and normed BPP (Basic Parallel Processes) systems. 
BPA processes can be seen as simple sequential programs (due to the binary operator of 
sequential composition). They ha ve r ecently been used to solve problems of dataflow 
analysis in optimizing compilers ^3. BPP model simple parallel systems (due to the 
binary operator of parallel composition). A process is normed iff at every reachable 
state it can terminate via a finite sequence of computational steps. 

The state of the art. Baeten, Bergstra, and Klop | proved that strong bisimilarity 
^Sis decidable for normed BPA processes. Simpler proo fs have been given later in 
^^3, and there is even a polynomial-time algorithm The decidability result has 
later been extended to the class of all (not necessarily normed) BPA processes in Q, but 
the best known algorithm is doubly exponential Q. Decidability of strong bisimilarity 
for BPP processes has been established in f, but the algorithm has non-elementary 
com plexi ty. However, there is a polynomial-time algorithm for the subclass of normed 
BPP Strong bisimilarity between normed BPA and normed BPP is also decidable 
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Q. This r esul t even holds for parallel compositions of normed BPA and normed BPP 
processes 

For weak bisimilarity, much less is known. Semidecidability of weak bisimilarity 
for BPP is due to In ^3 it is shown that weak bisimilarity is decidable for those 
BPA and BPP processes which are ‘totally normed’ (a process is totally normed if it can 
terminate at any moment via a finite sequence of computational steps, but at least one 
of those steps must be ‘visible’, i.e. non-internal). Decidability of weak bisimilarity for 
general BPA and BPP is open; those problems might be decidable, but they are surely 
intractable (assuming V ^ AfV ) — for BPP we have A('P-hardness, and for BPA even 
PSPACE-hardness 

The situation is dramatically different if we consider weak bisimilarity between 
certain infinite-state processes and finite-state ones. In ^3 it i^ shown that weak bisi- 
milarity between BPP and finit e- state processes is decidable. A more general result has 
recently been obtained in ^3> where it is shown that many bisimulation- like equiva- 
lences (including the strong and weak ones) are decidable between PAD and finite- state 
processes. The class PAD strictly subsumes not only BPA and BPP, but also PA Q 
and pushdown processes. This result is obtained by a general reduction to the model- 
checking problem for the simple branching-time temporal logic EF. As the model- 
checking problem for EF is hard (for ex amp le, it is known to be PSPA Ci?-complete for 
BPP Q and PSPACE-daad for BPA ^3)’ yield an efficient algorithm. 



Our contribution. We show that weak (and hence also strong) bisimilarity is decidable 
in polynomial time between BPA and finite-state processes, and between normed BPP 
and finite-state processes. Due to the aforementioned hardness results for the ‘symmet- 
ric case’ (when we compare two BPA or two (normed) BPP processes) we know that our 
results cannot be extended in this direction. To the best of our knowledge, these are the 
first polynomial algorithms for weak bisimilarity with infinite- state systems. Moreover, 
the algorithm for BPA is the first example of an efficient decision procedure for a class 
of unnorm ed infinite- state systems (the polynomial algorithms for strong bisimilarity 
of |0 ir only work for normed subclasses of BPA and BPP, respectively). It should 
also be noted that simulation equivalence between BPA/BPP and finite-state systems is 
co-A/”7^-hard |Q|. 

The basic scheme of our constructions for BPA and normed BPP processes is the 
same. The main idea is that weak bisimilarity between BPA (or normed BPP) processes 
and finite-state ones can be generated from a finite base and that certain infinite subsets 
of BPA and BPP state-space can be ‘symbolically’ described by finite automata and 
context-free grammars, respectively. A more detailed intuition is given in Section^ As 
weak bisimilarity is not a congruence w.r.t. sequencing (see Section^, we propose its 
natural refinement called termination-sensitive bisimilarity which is a congruence and 
which is also decidable between BPA and finite-state processes in polynomial time. 



2 Definitions 

We use process rewrite systems ^3 ^ formal model for processes. Let Act = 

{a, b,c , . . .} and Const = {AT, Y, Z, . . .} be disjoint countably infinite sets of actions 
and process constants, respectively. The class of process expressions E is defined by 
E ::= e I AT I I E.E, where X G Const and e is a special constant that denotes 
the empty expression. Intuitively, ‘.’is sequential composition and ‘|| ’ is parallel com- 
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position. We do not distinguish between expressions related by structural congruence 
which is given by the following laws: and ‘||’ are associative, ‘|j’ is commutative, 

and ‘e’ is a unit for and ‘|j 

A process rewrite system is specified by a finite set of rules A which have the 
form E F, where E,F G £ and a G Act. Const{A) and Act{A) denote the sets of 
process constants and actions which are used in the rules of A, respectively (note that 
these sets are finite). Each process rewrite system A defines a unique transition system 
where states are process expressions over Const{A), Act{A) is the set of labels, and 
transitions are determined by A and the following inference rules (remember that ‘|| ’ is 
commutative): 



{E^ F)g A E Ay E' E -A E' 

E Ay F E.EAyE'.E E\\E Ay e'\\F 

We extend the notation E Ay F to elements of Act* in the standard way. E is reachable 
from E if E At, E for some w G Act*. 

Sequential and parallel expressions are those process expressions which do not 
contain the ‘||’ and the operator, respectively. Finite-state, BPA, and BPP systems 
are subclasses of process rewrite systems obtained by putting certain restrictions on 
the form of the rules. Finite-state, BPA, and BPP allow only a single constant on the 
left-hand side of rules, and a single constant, sequential expression, and parallel expres- 
sion on the right-hand side, respectively. The set of states of a transition system which 
is generated by a finite-state, BPA, or BPP process A is restricted to Const{A), the 
set of all sequential expressions over Const {A), or the set of all parallel expressions 
over Const{A), respectively. A constant X G Const{A) is normed iff A ^ £ for 
some w G Act*. A process is normed, iff all constants of its underlying system A are 
normed. 

The semantical equivalence we are interested in here is weak bisimilarity . This 
relation distinguishes between ‘observable’ and ‘internal’ moves (computational steps); 
the internal moves are modeled by a special action which is denoted ‘r’ by convention. 
In what follows we consider process expressions over Const{A) where A is some fixed 
process rewrite system. 

Definition 1. The extended transition relation ’ is defined by E ^ E iff either 

E = E and a = t, or E ^ E' Ay E" ^ E for some i, j G INq, E' , E" G £. A binary 
relation R over process expressions is a weak bisimulation iff whenever (E, E) G R 
then for every a G Act: if E Ay E' then there is E E' s.t. {E' , E') G R and if 
E Ay F' then there is E ^ E' s.t. {E' , E') G R. Processes E, E are weakly bisimilar, 
written E k, E, iff there is a weak bisimulation relating them. 

Let T be a finite-state system with n states, f,gG Const (E). It is easy to show that 
the problem whether / « g is decidable in 0{n^) time. For example, we can compute 
the ‘^’ relation of E and then start to refine Const (E) x Const (E) in a number of steps 
until it ‘stabilizes’ w.r.t. =^. We note that the use of some advanced techniques (see e.g. 
^J) could probably decrease the mentioned upper bound; however, the complexity of 
the algorithms which are designed in this paper is a bit worse (even if we could decide 
the problem f ^ g in constant time), hence we do not try to improve this bound. 
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Sometimes we also consider weak bisimilarity between processes of different pro- 
cess rewrite systems, say A and F. Formally, A and F can be considered as a single 
system by taking their disjoint union. 



3 BPA Processes 



Let LI be a BPA process with the underlying system A, F a finite-state process with 
the underlying system F s.t. Const{A) n Const{F) = 0. We assume (w.l.o.g.) that 
E G Const(A); moreover, we also assume that for all f,gG Const{F), a G Act s.t. 
/ 7 ^ g or a 7 ^ r we have that f ^ g implies f g G F. If those transitions are 
missing in L, we can add them safely — it does not influence our complexity estimations, 
as we always consider the worst case when F has all possible transitions (we do not 
want to add new transitions of the form / ^ /, because then our proof for weak 
bisimilarity would not immediately work for termination-sensitive bisimilarity which is 
designed at the end of this section). 

In this section, we use upper-case letters X, Y, ... to denote elements of Const (A), 
and lower-case letters f,g,...to denote elements of Const{F). Greek letters a, /3, . . . 
are used to denote elements of Const{A)* . The size of A is denoted by n, and the size 
of L by m (we measure the complexity of our algorithm in (n, m)). 

The set Const{A) can be divided into two disjoint subsets of normed and unnormed 
constants (remember that X G Const(A) is normed iff X ^ e for some w G Act*). 
The set of all normed constants of A is denoted Normed{A). In our constructions we 
also use processes of the form a/; they should be seen as BPA processes with the un- 
derlying system Z\ U T. 



Intuition: Our proof can be divided into two parts: first we show that the greatest weak 
bisimulation between processes of A and F is finitely representable. There is a finite 
relation B of size 0{nm?) (called bisimulation base) such that each pair of weakly 
bisimilar processes can be generated from that base (a technique first used by Caucal 
Q). Then we show that the bisimulation base can be computed in polynomial time. 
To do that, we take a sufficiently large relation Q whic h surely subsumes the base and 
‘refine’ it (this refinement technique has been used in ' ~ 1^ ). The size of Q is still 
0{nrrff), and each step of the refinement procedure possibly deletes some of the el- 
ements of Q. If nothing is deleted, we have found the base (hence we need at most 
0{nnff) steps). The refinement step is formally introduced in DefinitionJ(we com- 
pute the expansion of the currently computed approximation of the base). Intuitively, a 
pair of processes belongs to the expansion iff for each move of one component there 



is a ^ move of the other component s.t. the resulting pair of processes can be generated 
from the current approximation of B. We have to overcome two fundamental problems: 



1. The set of pairs which can be generated from B (and its approximations) is infinite. 

2. The set of states which are reachable from a given BPA state in one ‘=4>’ move is 
infinite. 



We employ a ‘symbolic’ technique to represent those infinite sets (similar to the one 
used in Q), taking advantage of the fact that they have a simple (regular) structure 
which can be encoded by finite-state automata (see Theoremjand^. This allows to 
compute the expansion in polynomial time. 
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Definition 2. A relation K is fundamental ijfit is a subset of 

{{N ormed{A) ■ Const(r)) x Const{r)) U {Const{A) x Const(r)) U 
(({e} U Const{r)) x Const{r)) 

Note that the size of any fundamental relation is 0{nmf). The greatest fundamental 
relation is denoted by Q. The bisimulation base for A and T, denoted B, is defined 
as follows: B = {{Yf,g) \Yf za g,Y e Normed{A)} U {{X,g) \ X g} U 

{(/,5) \ f - 9 } U {(e,5) I £«5}- 

As weak bisimilarity is a left congruence w.r.t. sequential composition, we can ‘gener- 
ate’ from B new pairs of weakly bisimilar processes by substitution (it is worth noting 
that weak bisimilarity is not a right congruence w.r.t. sequencing — to see this, it suffices 
to define X A- X, Y A- e, Z Z. Now A « F, but XZ YZ). This generation 
procedure can be defined for any fundamental relation as follows: 

Definition 3. Let K be a fundamental relation. The closure of K, denoted Cl{K), is 
the least relation M which satisfies the following conditions: 

1. K CM 

2. if{f, g) G K and (a, /) £ M, then (a, g) G M 
'/(/) 5) £ ^ tind (ah, /) G M, then (ah, g) G M 

4. if{Yf,g) G K and (a, /) G M, then (Ya,g) G M 

5. if {Y f, g) G K and {ah, f) G M, then {Yah, g) G M 

6. if {a, g) G M and a contains an unnormed constant, then {a(3, g), {a(3h, g) G M 
for every ft G Const{A)* and h G Const{r). 

Note that Cl{K) contains elements of just two forms - {a,g) and {af,g). Clearly 
Cl{K) = U“o Cl{KY where Cl{Kf = K and Cl{Ky+^ consists of Cl{Ky and the 
pairs which can be immediately derived from Cl{Ky by the rules 2-6 of Definition^ 
Although the closure of a fundamental relation can be infinite, its structure is in 
some sense regular. This fact is precisely formulated in the following theorem: 

Theorem 1. Let K be a fundamental relation. For each g G Const{r) there is a 
finite- state automaton Ag of size 0{nmf) constructible in 0{nm?) time s.t. L{Ag) = 
{a I {a,g) G Cl{K)} U {af \ {af,g) G Cl{K)} 

Proof. We construct a regular grammar of size 0{n mf) which generates the mentioned 
language. Let Gg = {N, E, 6, g) where 

- N={J\f G Const{r)} U {U} 

- E = Const{A) U Const{r) 

- (5 is defined as follows: 

• for each (e, h) G K we add the rule h ^ e. 

• for each (/, h) G K we add the rules h ^ f, h ^ f. 

• for each {Y f,h)GK we add the rules h ^ Y f, h ^ Y f. 

• for each (A, h) G K we add the rule /i — > A and if A is unnormed, then we 
also add the rule h XU. 

• for each A G Const{A), f G Const{r) we add the rules U — > XU, 17 — > A, 
U^f. 
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A proof that Gg in deed generates the mentioned language is routine. Now we translate 
Gg to Ag (see e.g. ^3| ). Note that the size of Ag is essentially the same as the size of 
Gg', Ag is non-deterministic and can contain e-rules. □ 

As an immediate consequence of the previous theorem we obtain that the membership 
to Cl{K) for any fundamental relation K is easily decidable in polynomial time. An- 
other property of Cl{K) is specified in the lemma below. 

Lemma 1. Let{af,g) G Cl{K). If{ph,f) G Cl{K), then also {a(3h,g) G Cl{K). 
Similarly, if{/3,f) G Cl{K), then also {afS,g) G Cl{K). 

The importance of the bisimulation base is clarified by the following theorem. It says 
that Cl{B) subsumes the greatest weak bisimulation between processes of A and F. 

Theorem 2. For all a, /, g we have a~g iff (a, g) G Cl{B), and af « g iff{af, g) G 
Cl{B). 

Proof. The ‘if’ part is obvious in both cases, as B contains only weakly bisimilar pairs 
and all the rules of Definitionjproduce pairs which are again weakly bisimilar. The 
‘only if’ part can, in both cases, be easily proved by induction on the length of a (we 
just show the first proof; the second one is similar). 

- a = £. Then (e, g) G B, hence (e, g) G Cl[B). 

- a = L/3. If L is unnormed, then Y ra g and (Y, g) G B. By the rule 6 of Def- 

initionHwe obtain {Y j3,g) G Cl{B). If Y is normed, then Y fi ^ fi for some 
w G Act* and g must be able to match the sequence w by some g ^ g' s.t. 
j3 « 5^ By substitution we now obtain that Y g' k, g. Clearly (Yg',g) G B, and 
(/3, g') G CZiS) by induction hypothesis. Hence (a, g) G Cl{B) due to the rule 4 
of Definition^ □ 

The next definition formalizes one step of the ‘refinement procedure’ which is applied 
to Q to compute B. 

Definition 4. Let K be a fundamental relation. We say that a pair (X, g) ofK expands 
in K iff the following two conditions hold: 

- for each X -A a there is some g ^ g' s.t. {a, g') G Cl{K) 

- for each g g' there is some X ^ a s.t. (a, g') G Cl{K) 

The expansion of a pair of the form (Y /, g), (/, g), (e, g) in K is defined in the same 
way — for each ’ move of the left component there must be some ‘=§> ’ move of the 

right component such that the resulting pair of processes belongs to Cl{K), and vice 
versa (note that e ^ e). The set of all pairs of K which expand in K is denoted by 
Exp{K). 

The notion of expansion is in some sense ‘compatible’ with the definition of weak 
bisimulation. This intuition is formalised in the following lemma. 

Lemma 2. Let K be a fundamental relation s.t. Exp{K) = K. Then Cl{K) is a weak 
bisimulation. 
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Proof. We prove that every pair (a,g), (af,g) of Cl{Ky has the property that for 
each move of one component there is a ‘=^’ move of the other component s.t. the 
resulting pair of processes belongs to Cl{K) (we consider just pairs of the form (a/, g); 
the other case is similar). By induction on i. 

- i = 0 . Then (af,g) G K\ as K — Exp{K), the claim follows directly from the 
definitions. 

- Induction step. Let {af, g) G Cl{Ky^^ . There are three possibilities: 

I. There is an h s.t. (af, h) G Cl(Ky, (h, g) G K. 

Let af 7/ (note that a can be empty; in this case we have to consider 
moves of the form / A /'. It is done in a similar way as below). As (af, h) G 
Cl(Ky, we can use the induction hypothesis and conclude that there ish ^ h' 
s.t. (7/, h') G Cl(K). We distinguish two cases: 

1) a = r and h' = h. Then (7/, h) G Cl(K) and as (h,g) G K, we obtain 
(7/j 9) € Cl(K) due to LemmaH Hence g can use the move g ^ g. 

2 ) a y T ox h y h' . Then there is a transition h ^ h' (see the beginning of 
this section) and as (h, g) G K, by induction hypothesis we know that there is 
some g ^ g' s.t. (h! , g') G Cl(K). Hence, (7/, g') G Cl(K) due to LemmaJ 
Now let g g' . As (h,g) G K, there is h h' s.t. (h! ,g') G Cl(K). We 
distinguish two possibilities again: 

1) a = r and h' = h. Then af can use the move af ^ af', we have (h, g') G 
Cl(K) and (af, h) G Cl(K), hence also (af,g') G Cl(K). 

2 ) a y T ox hy h' . Then h h' and as (af, h) G Cl(Ky, there is af 7/ 

(ox af y> f', it is handled in the same way) s.t. (^f, h') G Cl(K). Hence also 
(7/,5')e a(i^)byLemmaB 

II. a = Y(i and there is h s.t. (Yh, g) G K, (Pf, h) G Cl(Ky. 

Let YPf -y 7/3/. As (Yh,g) G K, we can use induction hypothesis and 
conclude that there is g 0' s.t. (7/1, g') G Cl(K). As ( 3 f, h) G Cl(K), we 
obtain (7/3/, g') G Cl(K) by LemmaB 

Let g g' . As {Yh, g) G K, by induction hypothesis we know that Yh can 
match the move g g'', there are two possibilities: 

1) Yh 'yh s.t. (jh,g') G Cl(K). Then also YPf y- 7/3/. As (Pf,h) G 
Cl(K), we immediately have (7/3/, g') G Cl(K) as required. 

2) Yh y h' s.t. (h' ,g') G Cl(K). The transition Yh y h' can be ‘decom- 

posed’ into Yh y h, h y h' where x = af\y = T ox x = Tf\y = a. \f 
y = T and h' = h, we are done immediately because then YP y P and as 
(h,g'), (P, h) G Cl(K), we also have (P,g') G Cl(K) as needed. y y t 
or h' y h, there is a transition h h' . As (Pf, h) G Cl(Ky, due to induc- 
tion hypothesis we know that there is some Pf y 7/ (or Pf y /'; this is 
handled in the same way) with (7/, h') G Cl(K). Clearly Y Pf y 7/. As 
{h{g'), (ify) G we also have (7/,^') G Cl(K). 

III. a = P'y where /3 contains an unnormed constant and (/3, g) G Cl(Ky . 

Let a y a' . Then a' = Sj and P y S. As (P, g) G Cl(Ky, there is g y g' 
s.t. (S,g') G Cl(K) due to the induction hypothesis. Clearly 5 contains an 
unnormed constant, hence (57, g') G Cl(K) by the last rule of DefinitionB 
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Let g A g'. As (/?, g) G Cl{KY, there is /3 (5 s.t. (<5, g') G Cl{K) and 8 

contains an unnormed constant. Hence a 6 j and (^ 7 , g') G Cl{K) due to 
the last rule of Definition^ □ 

The notion of expansion allows to approximate B in the following way: = Q, 

= Exp{B^). A proof of the next theorem is now easy to complete. 

Theorem 3. There is a j G IN, bounded by 0{n rrY), such that B^ = Moreover, 

B3 = B. 

In other words, B can be obtained from Q in 0{nm?) refinement steps which corre- 
spond to the construction of the expansion. The only thing which remains to be shown 
is that Exp{K) is effectively constructible in polynomial time. To do that, we employ 
a ‘symbolic’ technique which allows to represent infinite subsets of BPA state-space in 
an elegant and succinct way. 

Theorem 4. For all X G Const{A), a G Act{A) there is a finite- state automaton 
A(^x,a) of size 0{nf) constructible in 0{n^) time s.t. L{A(x,a)) = {cx \ X a} 

Proof. We define a left- linear grammar G[x,a) of size Ofn?) which generates the men- 
tioned language. This grammar can b e co nverted to A(^x,a) by a standard algorithm 
known from automata theory (see e.g. Note that the size of A(x,a) is essentially 
the same as the size of G(x,a)- First, let us realize that we can compute in 0{iA) time 
the sets Mt and Ma consisting of all Y G Const (A) s.t. Y A- e and Y A- e, respec- 
tively. Let G(x,a) = (-N, E, S, S) where 

- N = {Y°‘,Y'^ I Y G Const{A)} U {S'}. Intuitively, the index indicates whether 
the action ‘a’ has already been emitted. 

- E = Const(A) 

- 5 is defined as follows: 

• we add the rule S ^ X°’ to 8, and if AT =4> e then we also add the rule S ^ e. 

• for every transition Y -A Zi. ■■■ .Zk of A and every i s.t. 1 < z < fc we test 
whether Zj ^ e for every 0 < j < z. If this is the case, we add to 8 the rules 

Y-^z,--- Zk, ^ zjz,+i ■■■Zk 

• for every transition Y E Zi. ■■■ .Zk of A and every z s.t. 1 < z < fc we do the 
following: 

* we test whether Zj ^ e for every 0 < j < z. If this is the case, we add to 
8 the rules 

^ ZfZ,+i ■■■Zk,Y-^ ZJZ,+i ■■■Zk,Y-^Z,---Zk 

* we test whether there is a f < z such that Zt A- e and Zj ^ e for every 
0 < 7 < f j Y If this is the case, we add to 8 the rules 

^ ZJZ,+i ■■■Zk,Y^ ^ Z,---Zk 



The fact that Gi^x.a) generates the mentioned language is intuitively clear and a formal 
proof of that is easy. The size of G(x,a) is Ofnf), as A contains 0{n) basic transitions 
of length C>(rz). □ 
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The crucial part of our algorithm (the ‘refinement step’) is presented in the proof of 
the next theorem. Our complexity analysis is based on the following facts: Let A = 
(Q, U, S, go, F) be a non-deterministic automaton with e-rules, and let t be the total 
number of states and transitions of A. 

- The problem whether a given w G S* belongs to L{A) is decidable in 0(|w| • t) 
time. 

- The problem whether L{A) = 0 is decidable in 0{t) time. 



Theorem 5. Let K be a fundamental relation. The relation Exp{K) can be effectively 
constructed in 0{nf mf) time. 

Proof. First we construct the automata Ag of Theoremjfor every g G Const (F). This 
takes 0{n wf) time. Then we construct the automata A(x,a) of TheoremHfor Q- 
This takes time. Furthermore, we also compute the set of all pairs of the form 

(/, g), (e, g) which belong to Cl{K). It can be done in 0{mf) time. Now we show that 
for each pair of K we can decide in 0{n^ mf) time whether this pair expands in K. 

The pairs of the form (/, g) and (e, g) are easy to handle; there are at most m 
states /' s.t. f f , and at most m states g' with g ^ g', hence we need to check 
only 0{wf) pairs to verify the first (and consequently also the second) condition of 
Definition^ Each such pair can be checked in constant time, because the set of all 
pairs (/, g), (e, g) which belong to Cl{K) has been already computed at the beginning. 

Now let us consider a pair of the form (Y, g). First we need to verify that for each 
Y a there is some g ^ h s.t. (a, h) G Cl{K). This requires 0{nm) tests whether 
a G L{Ah)- As the length of a is 0{n) and the size of Ah is 0{nmf), each such 
test can be done in 0{n^ wf) time, hence we need Ofnf wf) time in total. As for the 
second condition of Definition^ we need to find out whether for each g h there 
is some X ^ a s.t. {a, h) G Cl{K). To do that, we simply test the emptiness of 
L{A(x,a)) n L{Ah)- The size of the product automaton is 0{n^ mf) and we need to 
perform only 0{m) such tests, hence the time 0{n^ mf) suffices. 

Pairs of the form {Y f, g) are handled in a similar way; the first condition of Def- 

initionjis again no problem, as we are interested only in the moves of the left 

component. Now let g g'. An existence of a ‘good’ move of Y/ can be verified 
by testing whether one of the following conditions holds: 

- L{A{Y,a)) • {/} n L(Ag') is nonempty. 

- Y £ and there is some f ^ f s.t. {f ,g') G Cl{K). 

- Y ^ e and there is some f ^ f s.t. {f ,g') G Cl{K). 

All those conditions can be checked in 0{n^ mf) time (the required analysis has been 
in fact done above). As K contains Ofnwf) pairs, the total time which is needed to 
compute Exp{K) is 0{n‘^ mf). □ 

As the BPA process E (introduced at the beginning of this section) is an element of 
Const(A), we have that E Ki F iff (E, F) G B. To compute B, we have to perform 
the computation of the expansion 0{nmf) times (see Theorem^. This gives us the 
following main theorem: 
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Theorem 6 . Weak bisimilarity is decidable between BPA and finite-state processes in 
0{'nf mJ) time. 

The fact that weak bisimilarity is not a congruence w.r.t. sequential composition is rather 
unpleasant; any equivalence which is to be considered as ‘behavioural’ should have this 
property. We propose a solution to this problem by designing a natural refinement of 
weak bisimilarity called termination- sensitive bisimilarity. This relation distinguishes 
between the following ‘basic phenomenons’ of sequencing: 

- successful termination of the process which is currently being executed. The system 
can then continue to execute the next process in the queue. 

- unsuccessful termination of the executed process (deadlock). This models a severe 
error which causes the whole system to ‘get stuck’ . 

- entering an infinite internal loop (livelock). 

Termination- sensitive bisimilarity is a congruence w.r.t. sequencing, and it is also de- 
cidable between BPA and finite state processes in polynomial time. It can be proved by 
adapting the proof for we ak b isimilarity. Formal definitions and proofs are omitted due 
to the lack of space — see for details. 



4 Normed BPP Processes 

In this section we prove that weak bisimilarity is decidable in polynomial time between 
normed BPP and finite-state processes. The basic structure of our proof is similar to the 
one for BPA. The key is that the weak bisimulation problem can be decomposed into 
problems about the single constants and their interaction with each other. In particular, 
a normed BPP process is finite w.r.t. weak bisimilarity iff every single reachable process 
constant is finite w.r.t. weak bisimilarity. This does not hold for general BPP and thus 
our construction does not carry over to general BPP. 

Even for normed BPP, we have to solve some additional problems. The bisimulation 
base and its closure are simpler due to the normedness assumption, but the ‘symbolic’ 
representation of BPP state-space is more problematic (see below). The set of states 
which are reachable from a given BPP state in one ‘=^’ move is no longer regular, but 
it can be in some sense represented by a CF-grammar. In our algorithm we use the facts 
that emptiness of a CF language is decidable in polynomial time, and that CF languages 
are closed under intersection with regular languages. Most proofs in this section are 
omitted due to the lack of space. See for details. 

Let E he di BPP process and F a finite-state process with the underlying systems 
A and E, respectively. We can assume w.l.o.g. that E G Const{A). Elements of 
Const{A) are denoted by X, Y, Z , . . ., elements of Const{E) by f,g,h,... The set 
of all parallel expressions over Const (A) is denoted by Const (A)‘^ and its elements 
by Greek letters a,/3, . . . The size of A is denoted by n, and the size of E by m. 

In our constructions we represent certain subsets of Const(A)'^ by finite automata 
and CF grammars. The problem is that elements of Const (A)^ are considered mod- 
ulo commutativity; however, finite automata and CF grammars of course distinguish 
between different ‘permutations’ of the same word. As the classes of regular and CF 
languages are not closed under permutation, this problem is important. As we want to 
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clarify the distinction between a and its possible ‘linear representations’, we debne for 
each a the set Lin (a) as follows: 

Lin{Xi II • • • II JAfc) = {Xp(^i) ■ ■ ■ Xp(fc) I p is a permutation of the set {1, • • • , k}} 

For example, Lin{X\\Y\\Z) = {XYZ, XZY, YXZ, YZX, ZXY, ZYX}. We also 
assume that each Lin{a) contains some (unique) element called canonical form of 
Lin{a). It is not important how the canonical form is chosen; we need it just to make 
some constructions deterministic (for example, we can hx some linear order on process 
constants and let the canonical form of Lin{a) be the sorted order of constants of a). 

Definitions. A relation K is fundamental iff it is a subset of (Const{A) U {e}) x 
Const{r). The greatest fundamental relation is denoted by Q. The bisimulation base 
for A and T, denoted B, is defined as follows: 

B = {(X,/) |X«/}U{(e,/) |£«/} 

Definition 6 . Let K be a fundamental relation. The closure of K, denoted Cl{K), is 
the least relation M which satisfies 

1. K CM 

2. if{X,g) € K, (/3, h) G M, and / « g\\h, then (/3||X, f) G M 

3. if{e, g) G K, {(3, h) G M, and f « g\\h, then (J3, f) G M 

The family of Cl{Ky approximations is defined in the same way as in the previous 
section. 

Lemma 3. Let {a, f) G Cl{K), (/3, 5 ) G Cl{K), f\\g « h. Then {a\\P,h) G Cl{K). 

Again, the closure of the bisimulation base is the greatest weak bisimulation between 
processes of A and L. 

Theorem 7. Let a G Const{A)® , f G Const{L). 'We have that a f iff {a, /) G 
Cl{B). 

The closure of any fundamental relation can in some sense be represented by a finite- 
state automaton, as stated in the next theorem. 

Theorem 8 . Let K be a fundamental relation. For each g G Const{L) there is a finite- 
state automaton Ag of size Ofnm) constructible in Ofnm) time s.t. the following 
conditions hold: 

— whenever Ag accepts an element of Lin{a), then (a, g) G Cl{K) 

— if{a,g) G Cl{K), then Ag accepts at least one element of Lin(a) 

It is important to realize that if (a, g) G Cl{K), then Ag does not necessarily accept all 
elements of Lin(a). Generally, Ag cannot be ‘repaired’ to do so (see the beginning of 
this section); however, there is actually no need for such ‘repairs’, because Ag has the 
following nice property: 

Lemma 4. Let K be a fundamental relation s.t. B C K. If a k, g, then the automaton 
Ag of (the proof of) Theorem^^onstructed for K accepts all elements of Lin(a). 



Weak Bisimilarity with Infinite-State Systems Can Be Decided in Polynomial Time 



379 



The set of states which are reachable from a given X € Const(A) in one move is 
no longer regular, but it can, in some sense, be represented by a CF grammar. 

Theorem 9. For all X S Const(A), a C Act{A) there is a context-free grammar 
G(x,a) Iti 3-GNF of size O(n^) constructible in 0{rA) time s.t. the following two con- 
ditions hold: 

— ifG(^x,a) generates an element of Lin(a), then X ^ a 

— if X a, then G(^x,a) generates at least one element of Lin{a) 

The notion of expansion is defined in a different way (when compared to the one of the 
previous section). 

Definition 7. Let K be a fundamental relation. VTe say that a pair (X, f) € K expands 
in K iff the following two conditions hold: 

— for each X a there is some f ^ g s.t. a € L{Ag), where a is the canonical 
form of Lin{a). 

— for each f g the language L{Ag) H L{G(x,a)) is non-empty. 

A pair (e, f) & K expands in K iff f g implies a = t, and for each f ^ g we have 
that e C L(Ag). The set of all pairs of K which expand in K is denoted by Exp{K). 



Theorem 10. Let K be a fundamental relation. The set Exp{K) can be computed in 
0{n}^ m®) time. 

Proof. First we compute the automata Ag of Theoremjfor all g G Const{E). This 
takes 0{nmf) time. Then we compute the grammars G(^x,a) of Theoremjfor all 
X G Const(A), a G Act. This takes 0{n^) time. Now we show that it is decidable in 
0{n^^ mJ) time whether a pair (X, /) of K expands in K. 

The first condition of Definitionflcan be checked in 0{rA m?) time, as there are 
0{n) transitions X a, 0{m) states g s.t. f ^ g, and for each such pair {a, g) we 
verify whether a G L{Ag) where a is the canonical form of Lin{a)\ this membership 
test can be done in 0{'n? m) time, as the size of a is 0{n) and the size of Ag is 0{n m). 

The second condition of DefinitionHis more expensive. To test the emptiness of 
L{Ag) n L{G(^x,a)), we first construct a pushdown automaton V which recognises this 
language. V has 0{m) control states and its total size is 0{n^ m). Furthermore, each 
rule pX qa of V has the property that length{a) < 2, because G(x,a) is in 3- 
GNF. Now we transform thi s aut omaton to an equivalent CF grammar by a well-known 
procedure described e.g. in The size of the resulting grammar is 0{n^ rnf), and 
its emptiness can be thus checked in 0{n^^ mf) time (cf. ^3). This construction has 
to be performed 0{m) times, hence we need 0{n^'^ mJ) time in total. 

Pairs of the form (e, /) are handled in a similar (but less expensive) way. As K 
contains 0{n m) pairs, the computation of Exp{K) takes 0{n^^ m®) time. □ 

The previous theorem is actually a straightforward consequence of Definition^ The 
next theorem says that Exp really does what we need. 

Theorem 11. Let K be a fundamental relation s.t. Exp{K) = K. Then Cl{K) is a 
weak bisimulation. 
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Proof. Let (a, /) G Cl{Ky. We prove that for each a j3 there is some f ^ g s.t. 
(/3, g) G Cl{K) and vice versa. By induction on i. 

- i = 0. Then (a, /) G K, and we can distinguish the following two possibilities: 

L a = X 

Let X /3. By Definition^ there is / ^ p s.t. /3 G L{Ag) for some (3 G 
Lin{P). Hence (/3, g) G Cl{K) due to the first part of Theorem^ 

Let / A p. By Definition^ there is some string w G L{Ag) H L{G(^x,a))- 
Let w G Lin{(3). We have X ^ (3 due to the first part of Theorem^ and 
(/3, p) G Cl{K) due to Theorem^ 

2. a = £ 

Let f ^ g. Then a = t and e G L{Ag) by Definition^ Hence (e, g) G Cl{K) 
due to Theorem^ 

- Induction step. Let {a, f) G Cl{Ky~^^. There are two possibilities. 

I. a = X\\^ and there are r, s s.t. {X, r) G K, ( 7 , s) G Cl{Ky, and r||s « /. 
Let X\\a (3. The action ‘a’ can be emitted either by X or by a. We distin- 
guish the two cases. 

1) X\\'y JII 7 . As (A, r) £ K and X S, there is some r ^ r' s.t. (5, r') G 
Cl{K). As r||s « / and r r', there is some f ^ g s.t. r'||s ~ g. To sum up, 
we have ((5, r') G Cl{K), {-j, s) £ C'Z(A'), r'||s ~ p, hence (( 5 || 7 , p)G Cl{K) 
due to LemmaJ 

2) A ||7 X\\p. As ( 7 , s) G Cl{Ky and 7 p, there is s s' s.t. (p, s') G 

Cl{K). As r||s « / and s s', there is / =4> p s.t. (r||s') « g. Due to 
Lemmajwe obtain (A||p, p) G Cl{K). 

Let / -^ p. As r||s « /, there are r ^ r', s ^ s' where x = a A y = t 
orx = rAy = a s.t. r'||s' « p. As (X,r) G K, ( 7 , s) G Cl{Ky, there 
are AT (5, 7 p s.t. (5, r'), s') G Cl{K). Clearly A ||7 5\\p and 

('^IIP)'?) £ Cl{K) duetoLemmaH 
II. {a, r) G Cl{Ky and there is some s s.t. (e, s) G K and r||s « /. 

The proof can be completed along the same lines as above. □ 

Now we can approximate (and compute) the bisimulation base in the same way as in 
the previous section. 

Theorem 12. There is a j G IN, bounded by 0{n m), such that Moreover, 

B^ = B. 



Theorem 13. Weak bisimilarity between normed BPP and finite-state processes is de- 
cidable in 0{'n}^ m®) time. 

5 Conclusions 

We have proved that weak bisimilarity is decidable between BRA processes and finite- 
state processes in mJ) time, and between normed BPP and finite-state processes 
in Ofn}^ m®) time. It may be possible to improve the algorithm by re-using previously 
computed information, for example about sets of reachable states, but the exponents 
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would still be very high. This is because the whole bisimulation basis is constructed. To 
get a more efficient algorithm, one could try to avoid this. Note however, that once we 
construct B (for a BPA/nBPP system A and a finite-state system F) and the automaton 
Ag of Theorem^TheoremH(for K — B and some g G Const{F)), we can decide 
weak bisimilatity between a BPA/nBPP process a over A and a process / G Const (F) 
in time 0(|o!|) — it suffices to test whether Af accepts a (observe that there is no sub- 
stantial difference between Af and Ag except for the initial state). 

The technique of bisimulation bases has also been used for strong bisimilarity in 
However, those bases are different from ours; their design and the way how 
they generate ‘new’ bisimilar pairs of processes rely on additional algebraic properties 
of strong bisimilarity (which is a full congruence w.r.t. sequencing, allows for unique 
decompositions of normed processes w.r.t. sequencing and parallelism, etc.). The main 
difficulty of those proofs is to show that the membership in the ‘closure’ of the de- 
fined bases is decidable in polynomial time. The main point of our proofs is the use of 
‘symbolic’ representation of infinite subsets of BPA and BPP state-space. 

We would also like to mention that our proofs can he easily adapted to other bi- 
simulat ion- like equivalences, where the notion of ‘bisimulation-like’ equivalence is the 
one of A concrete example is termination- sensitive hisimilarity of Section^ In- 
tuitively, almost every bisimulation-like equivalence has the algebraic properties which 
are needed for the construction of the bisimulation bas e, an d the ‘symbolic’ technique 
for state-space representation can also be adapted. See for details. 
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Abstract. In order to check whether an open system satisfies a desired property, 
we need to check the behavior of the system with respect to an arbitrary envi- 
ronment. In the most general setting, the environment is another open system. 
Given an open system M and a property tp, we say that M robustly satisfies ip 
iff for every open system M' , which serves as an environment to M, the com- 
position M||M' satisfies ip. The problem of robust model checking is then to 
decide, given M and ip, whether M robustly satisfies ip. In this paper we study 
the robust-model-checking problem. We consider systems modeled by nondeter- 
ministic Moore machines, and properties specified by branching temporal logic 
(for linear temporal logic, robust satisfaction coincides with usual satisfaction). 
We show that the complexity of the problem is EXPTIME-complete for CTL 
and the ^-calculus, and is 2EXPTIME-complete for CTL*. We partition branch- 
ing temporal logic formulas into three classes: universal, existential, and mixed 
formulas. We show that each class has different sensitivity to the robustness re- 
quirement. In particular, unless the formula is mixed, robust model checking can 
ignore nondeterministic environments. In addition, we show that the problem of 
classifying a CTL formula into these classes is EXPTIME-complete. 



1 Introduction 

Today’s rapid development of complex and safety-critical systems requires reliable veri- 
fication methods. In formal verification, we verify that a system meets a desired property 
by checking that a mathematical model of the system satisfies a formal specification that 
describes the property. We distinguish between two types of systems: closed and open 
(Open systems are called reactive systems in A closed system is a system 
whose behavior is completely determined by the state of the system. An open system 
is a system that interacts with its environment and whose behavior depends on this in- 
teraction. Thus, while in a closed system all the nondeterministic choices are internal, 
and resolved by the system, in an open system there are also external nondeterministic 
choices, which are resolved by the environment 

In order to check whether a closed system satisfies a desired property, we translate 
the system into a formal model, typically a state transition graph, specify the property 

* Supported in part by the NSF grants CCR-9628400 and CCR-970006 1 , and by a grant from the 
Intel Corporation. Part of this work was done when this author was a Varon Visiting Professor 
at the Weizmann Institute of Science. 
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with a temporal-logic formula, and check formally that the model satishes the formula. 
Hence the name model checking for the verification methods derived from this view- 
point ^^ 3 . In order to check whether an open system satisfies a desired property, we 
need to check the behavior of the system with respect to an arbitrary environment [ ' ' 
In the most general setting, the environment is another open system. Thus, given an 
open system M and a specification r/>, we need to check whether for every (possibly in- 
finite) open system M\ which serves as an environment to M, the composition M\\M' 
satisfies ijj. If the answer is yes, we say that M robustly satisfies The problem of 
robust model checking, initially posed in is to determine, given M and whether 
M robustly satisfies 

Two possible views regarding the nature of time induce two types of temporal log- 
ics In linear temporal logics, time is treated as if each moment in time has a 
unique possible future. Thus, linear temporal logic formulas are interpreted over linear 
sequences and we regard them as describing a behavior of a single computation of a 
program. In branching temporal logics, each moment in time may split into various 
possible futures. Accordingly, the structures over which branching temporal logic for- 
mulas are interpreted can be viewed as infinite computation trees, each describing the 
behavior of the possible computations of a nondeterministic program. It turns out that 
traditional model-checking algorithms and tools are not suitable for the verification of 
open systems with respect to branching temporal logics ^3 . In other words, it may be 
that while M satisfies ijj, it does not robustly satisfy tp. 

To see the difference between robust satisfaction and usual satisfaction, consider the 
open system M described below. The system M models a cash machine (ATM). At the 




state labeled wait, M waits for costumers. When a costumer comes, M moves to the 
state labeled read, where it reads whether the costumer wants to deposit or withdraw 
money. According to the external choice of the costumer, M moves to either a get or 
give state, from which it returns to the wait state. An environment for the ATM is an 
infinite line of costumers, each with his depositing or withdrawing plans. Suppose that 
we want to check whether the ATM can always get money eventually; thus, whether it 
satisfies the temporal logic formula = AGEFget. Verification algorithms that refer 
to M as a closed system, perform model checking in order to verify the correctness of 
the ATM. Since M \= tp, they get a positive answer to this question. Nonetheless, it 
is easy to see that the ATM does not satisfy the property tp with respect to all environ- 
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ments. For example, the composition of M with the environment M[ , in which all the 
costumers only withdraw money, does not satisfy ijj. Formally, M[ never supplies to M 
the input deposit, thus M[ disables the transition of M from the read state to the get 
state. Consequently, the composition M\\M[ contains a single computation, in which 
get is not reachable. 

A first attempt to solve the robust-model-checking problem was presented in 
which suggested the method of module checking. In this algorithmic method we check, 
given an open system modeled as a hnite state-transition graph, and a desired property 
specified as a temporal-logic formula, whether, no matter how an environment disables 
some of the system’s transitions, the composition of the system with the environment 
satishes the property. In particular, in the ATM example, the module-checking paradigm 
takes into consideration the fact that the environment can consistently disable the transi- 
tion from the read state to the get state, and detects the fact that the ATM cannot always 
get money eventually. The model discussed in ^3 somewhat simplistic as it does not 
allow the system to have internal variables. This assumption is removed in which 
considers module checking with incomplete information. In thi s set ting, the system has 
internal variables, which the environment cannot read. While ^3 considers arbitrary 
disabling of transitions, the setting in is such that whenever two computations of 
the system differ only in the values of internal variables along them, the disabling of 
transitions along them coincide. While the setting in ^3 is more general, it still does 
not solve the general robust-model-checking problem. 

To see this, let us go back to the ATM example. Suppose that we want to check 
whether the ATM can either move from all the successors of the initial state to a state 
where it gets money, or it can move from all the successors of the initial state to a state 
where it gives money. When we regard M as a closed system, this property is satis- 
fied. Indeed, M satishes the temporal-logic formula p = AX EX get V AX EX give. 
Moreover, no matter how we remove transitions from the computation tree of M, the 
trees we get satisfy either AXEXget or AXEXgiv^ In particular, M\\M[ satis- 
hes AX EX give. Thus, if we follow the module-checking paradigm, the answer to the 
question is positive. Consider now the environment M^. The initial state of M\\M '2 has 
two successors. One of these successors has a single successor in which the ATM gives 
money and the second has a single successor in which the ATM gets money. Hence, 
M\\M 2 does not satisfy p. Intuitively, while the module-checking paradigm consid- 
ers only disabling of transitions, and thus corresponds to the composition of M with 
all deterministic environments, robust model checking considers all, possibly nondeter- 
ministic, environments. There, the composition of the system with an environment may 
not just disable some of the system’s transitions, but may also, as in the example above, 
increase the nondeterminism of the system. 

In this work we consider the problem of verihcation of open systems in its full 
generality and solve the robust-model-checking problem. Thus, given an open system 
M and a specification fj, we study the problem of determining whether M robustly 
satisfies fi. Both M and its environment are nondeterministic Moore machines. They 
communicate via input and output variables and they both may have private variables 

* We assume that the composition of the system and the environment is deadlock free, thus every 
state has at least one successor. 
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and be nondeterministic. Our setting allows the environment to be infinite, and to have 
unbounded branching degree. Nevertheless, we show that if there is some environment 
M' for which M\\M' does not satisfy tp, then there is also a finite environment M” with 
a bounded branching degree (which depends on the number of universal requirements 
in ij}) such that M\\M" does not satisfy ip. 

We solve the robust-model-checking problem for branching temporal specifications. 
As with module checking with incomplete information, alternation is a suitable and 
helpful automata-theoretic mechanism for coping with the internal variables of M and 
M' . In spite of the similarity to the incomplete information setting, the solution the ro- 
bust model-checking problem is more challenging, as one needs to take into considera- 
tion the fact that a module may have different reactions to the same input sequence, yet 
this is possible only when different nondeterministic choices have been taken along the 
sequence. Using alternating tree automata, we show that the problem of robust satisfac- 
tion is EXPTIME-complete for CTL and the /r-calculus, and is 2EXPTIME-complete 
for CTL*. The internal variables of M make the time complexity of the robust-model- 
checking problem exponential already in the size of M. The same complexity bounds 
hold for the problem of module checking with incomplete information Thus, on 
the one hand, the problem of robust model checking, which generalizes the problem 
of module checking with incomplete information, is not harder than the latter problem. 
On the other hand, keeping in mind that the system to be checked is typically a parallel 
composition of several components, which by itself hides an exponential blow-up | i > 
our results imply that checking verification of open systems with respect to branching 
temporal specifications is rather intractable. 

Recall that not all specification formalisms are sensitive to the distinction between 
open and closed systems. The s tudy of verihcation of open system has motivated the 
use of universal temporal logic ^3 ^ specification formalism. Formulas of univer- 

sal temporal logics describe requirements that should hold in all computations of the 
system. These requirements may be either linear or branching. In both cases, the more 
behaviors the system has, the harder it is for the system to satisfy the requirements. 
Indeed, universal temporal logics induce the simulation order between systems 
That is, a system M simulates a system M' if and only if all universal temporal logic 
formulas that are satisfied in M are satisfied in M' as well. It follows that traditional 
model-checking methods are applicable also for the verification of open systems with 
respect to universal properties. Indeed, since M simulates M\\M' for every M' , satis- 
faction of a universal property in M implies its satisfaction in all the compositions of 
M with an environment. 

One of the main advantages of branching temporal logics with respect to linear 
temporal logic is, however, the ability to mix universal and existential properties; e.g., 
in order to specify possibility properties like AGEFp. Existential properties describe 
requirements that should hold in some computations of the system. We show that non- 
universal properties can be partitioned into two classes, each with a different sensitivity 
to the distinction between open and closed systems. We say that a temporal-logic for- 
mula ip is existential if it imposes only existential requirements on the system, thus 

is universal. The formula tp is mixed if it imposes both existential and universal 
requirements, thus ip is neither universal nor existential. While universal formulas are 
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insensitive to the system being open, we show that existential formulas are insensitive 
to the environment being nondeterministic. Thus, for such formulas, one can use the 
module-checking method. We study the problems of determining whether a given for- 
mula is universal or mixed, and show that they are both EXPTIME-complete. These 
result are relevant also in the contexts of modular verihcation and backwards rea- 
soning 

In the discussion, we compare robust model checking with previous work about 
verification of open systems as well as with the closely-related area of supervisory 
control 



□ 



. We also argue for the generality of the model studied in this paper and 
show that it captures settings in which assumptions about the environment are known, 
as well as settings with global actions and possible deadlocks. 



2 Preliminaries 

2.1 Trees and Automata 

Given a finite set T, anT -tree is a set T C T* such that if x ■ v € T, where x € T* 
and V G T, then also x G T. When T is not important or clear from the context, we 
call T a tree. The elements of T are called nodes, and the empty word e is the root of 
T. Eor every x G T, the nodes x ■ v G T where v G T are the children of x. Each node 
X eofT has a direction in T. The direction of a node x-vi&v. We denote by dir{x) 
the direction of node x. An T-tree T is a full infinite tree if T = T* . Unless otherwise 
mentioned, we consider here full infinite trees. A path 77 of a tree T is asetr] C T such 
that e G rj and for every x G rj there exists a unique v G T such that x ■ v G rj. The i’th 
level of T is the set of nodes of length i in T. Given two finite sets T and S, a S-labeled 
T -tree is a pair {T, V) where T is an T -tree and V : T ^ S maps each node of T to a 
letter in E. When T and E are not important or clear from the context, we call {T, V) 
a labeled tree. 

Alternating tree automata generalize nondeterministic tree automata and were first 
introduced in An alternating tree automaton A = {E, Q, qo, S, a) runs on full 
U-labeled T-trees (for an agreed set T of directions). It consists of a finite set Q of 
states, an initial state go G Q, a transition function S, and an acceptance condition a (a 
condition that defines a subset of Q“). 

Eor a set T of directions, let B'^{T x Q) be the set of positive Boolean formulas 
over T X Q\ i.e., Boolean formulas built from elements in T x Q using A and V, where 
we also allow the formulas true and false and, as usual, A has precedence over V. 
The transition function 6 : Q x E ^ B~^{T x Q) maps a state and an input letter 
to a formula that suggests a new configuration for the automaton. Eor example, when 
T = { 0 , 1}, having 5 {q, a) = ( 0 , qi) A ( 0 , 92) V ( 0 , 92) A (1, 92) A (1, qfj means that 
when the automaton is in state q and reads the letter a, it can either send two copies, 
in states qi and q 2 , to direction 0 of the tree, or send a copy in state 92 to direction 0 
and two copies, in states q 2 and ( 73 , to direction 1. Thus, unlike nondeterministic tree 
automata, here the transition function may require the automaton to send several copies 
to the same direction or allow it not to send copies to all directions. 

A run of an alternating automaton A on an input U-labeled T -tree {T, V) is a tree 
{Tr, r) in which the root is labeled by q^ and every other node is labeled by an element 
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of T* X Q. Unlike T, in which each node has exactly |T| children, the tree may have 
nodes with many children and may also have leaves (nodes with no children). Thus, 
Tr C IN* and a path in may be either finite, in which case it contains a leaf, or 
infinite. Each node of Tr corresponds to a node of T. A node in Tr, labeled by {x, q), 
describes a copy of the automaton that reads the node x of T and visits the state q. 
Note that many nodes of Tr can correspond to the same node of T; in contrast, in a 
run of a nondeterministic automaton on (T, V) there is a one-to-one correspondence 
between the nodes of the run and the nodes of the tree. The labels of a node and its 
children have to satisfy the transition function. Formally, {Tr, r) is a U,. -labeled tree 
where Sr = T* x Q and {Tr, r) satisfies the following: 

1. e&Tr andr(e) = (e, go)- 

2. Let y G Tr with r{y) = (x,q) and S{q,V{x)) = 9. Then there is a (possibly 
empty) set S = {(co, go), (ci, gi), - ■ - , (c„_i, gn-i)} C T x Q, such that: 

- S satisfies 9, and 

- for all 0 < i < n, we have y ■ i G Tr and r{y ■ i) = {x ■ Ci, qi). 

For example, if {T, U) is a{0, l}-tree with U(e) = a and S{qo,a) = ((0, gi) V(0, g2)) A 
((0, 9s) V (1, g2)), then the nodes of {Tr,r) at level 1 include the label (0, gi) or (0, g2), 
and include the label (0, go) or (1, g2). Note that if 0 = true, then y need not have 
children. This is the reason why Tr may have leaves. Also, since there exists no set S 
as required for 9 = false, we cannot have a run that takes a transition with 9 = false. 

Each infinite path p in {Tr, r) is labeled by a word r{p) in Let inf{p) denote 
the set of states in Q that appear in r{p) infinitely often. A run {Tr, r) is accepting iff 
all its infinite paths satisfy the acceptance condition. In BUchi alternating tree automata, 
a C Q, and an infinite path p satisfies a iff inf{p) n a 7^ 0. In Rabin alternating 
tree automata, a C 2*^ x 2*^, and an infinite path p satisfies an acceptance condition 
a = {(Gi, Bi), . . . , {Gm, Bm)} iff there exists 1 < i < m for which inf{p) n Gi 7^ 0 
and inf{p) C\ Bt = %. As with nondeterministic automata, an automaton accepts a tree 
iff there exists an accepting run on it. We denote by C{A) the language of the automaton 
A\ i.e., the set of all labeled trees that A accepts. We say that an automaton is nonempty 
iff£(xl) 7^0. 

Formulas of branching temporal logic can be translated to alternating tree automata 

» Since the modalities of conventional temporal logics, such as CTL* and the p- 
calculus, do not distinguish between the various successors of a node (that is, they 
impose requirements either on all the successors of the node or on some successor), the 
alternating automata that one gets by translating formulas to automata are of a special 
structure, in which whenever a state g is sent to direction v, the state g is sent to all 
the directions v G T, in either a disjunctive or conjunctive manner. Formally, follow- 
ing the notations in ^3, the formulas in B^{T x Q) that appear in the transitions of 
such alternating tree automata are members of B~^{{U, O} x Q), where Dg stands for 
A„g7'('u, g) and Og stands for ?)■ ^hall see in SectionO this struc- 

ture of the automata is crucial for solving the robust model-checking problem. We say 
that an alternating tree automaton is symmetric if it has the special structure described 
above. 
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2.2 Modules 



A module is a tuple M = (/, O, W, p, tt), where / is a finite set of Boolean 

input variables, O is a finite set of Boolean output variables (we assume that /n O = 0 ), 
W is a. (possibly infinite) set of states, w™ G VR is an initial state, G 2 ^ is an initial 
input, p : Vb X 2 ^ — > 2 ^ is a nondeterministic transition function, and tt : Vb — > 2 *^ is 
a labeling function that assigns to each state its output. We require that for all w G Vh 
and a G 2 ^, the set p(w, a) is not empty. Intuitively, the module can always respond to 
external inputs, though the response might be to enter a “bad” state. Intuitively, M starts 
its execution in w™, where it expect the input z“. Whenever M is in state w and the 
input is (j C /, it moves nondeterministically to one of the states in p(w, a). A module 
is open if / 7^ 0 . Otherwise, it is closed. The degree of M is the minimal integer k such 
that for all w and a, the set p{w, a) contains at most k states. If for all w and a the set 
p{w, a) contains exactly k states, we say that M is of exact degree k. 

Let Ml = and M2 = (O, /, IL2, P2, 712) be 

two modules such that 7 ri(wi”) = z™ and = z™. Note that the inputs of Mi 

are the outputs of M2 and vice versa. The composition of Mi and M2 is the closed 
module M1HM2 = ( 0 , / U O, W, w™, 0 , p, tt), where 



- VL = VLi X IL2. 

- = (w“,Z(;“). 

- For every (wi, W2) G W , we have p{{wi, W2), 0 ) = pi{wi, 712(^2)) x p2{w2, Tri(wi)). 

- For every {wi,W2) G FF, we have 7 t((z(;i, ^2)) = 7 ri(z«i) U 712(^2 )• 

Note that since we assume that for all z« G FF and a G 2 ^, the set p{w, a) is not empty, 
the composition of M with M' is deadlock free, thus every reachable state has at least 
one successor. Note also that the restriction to M' that closes M does not effect the 
answer to the robust-model-checking problem. Indeed, if there is some M' such that 
M||M' is open and does not satisfy z/>, we can easily extend M' so that its composition 
with M would be closed and would still not satisfy 

Every module M = {I, O, IF, zn“, z“, p, tt) induces an enabling tree {T, V). The 
enabling tree of M is a full infinite {T, _L}-labeled (IF x 2 ^)-tree, thus T = (IF x 2 ^)*. 
We define dir{e) to be (z«“, z“), and we label e by T. Intuitively, (T, V) indicates 
which behaviors of M are enabled. Consider a node x G T such that dir{x) = {w, a). 
For every state w' G W and input a' G 2 ^, we define V{x.{w' ,a')) as T if z«' G 
p{w, a), and as _L otherwise. Consider a node x = (wi,ai), {w2, of), ■ ■ ■ , (wm, o^) G 
T. By the definition of V, the module M can traverse a computation zn™, wi,W2, ■ ■ ■ , 
Wm when it reads the input sequence z“, cti, <T2, . . . , Om-i iff all the prefixes y of a; 
have V{y) = T. Indeed, then and only then we have wi G p{w'^'^, z“), and Wi+i G 
p{wi, Oi) for all 1 < j < m — 1. 

Following the definition of a product between two modules, the enabling tree of 
Ml II M2 is a {T, _L}-labeled (FFi x FF2)-tree. Intuitively, M2 supplies to M\ its input 
(and vice versa). Therefore, while the trees of Mi are (FFi x 2 ^)-trees, reflecting the 
fact that every state in Mi may read 2 l^l different inputs and move to |FFi| successors, 
the tree of Mi ||M2 is a (FFi x FF2)-tree, reflecting the fact that every state in Mi ||M2 
may have |FFi| • IFF2I successors. Note that M2 may be nondeterministic. Accordingly, 
a node associated with a state w of M\ may have k successors that are labeled T in the 
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enabling tree of Mi and have k' > k successors that are labeled T in the enabling tree 
of Ml 1 1 M 2 ■ That is, M 2 can not only prune transitions of Mi ; it can also split transitions 
of Ml. 

Recall that the enabling tree of a module M is a full infinite {T, _L}-labeled {W x 
2^)-tree. As we shall see in Section^ the fact that the tree is full circumvents some 
technical difficulties. We now define when M satisfies a formula. For that, we prune 
from the full tree nodes that correspond to unreachable states of M. Since each state 
of M has at least one successor, every node in the pruned tree also has at least one 
successor. Consequently, we are able, in Section^ to duplicate subtrees and go back 
to convenient full trees. For an enabling tree (T, V), the T -restriction of (T, V) is the 
{T}-labeled tree with directions in (W x 2^) that is obtained from (T, V) by pruning 
subtrees with a root labeled _L. For a module M, the computation tree of M is a 2^^*^- 
labeled {W x 2^)-tree obtained from the T -restriction of M’s enabling tree by replacing 
the T label of a node with direction {w, a) by the label 7t(w) U a. Note that when M is 
closed, its computation tree is a VF-tree. We say that M satisfies a branching temporal 
logic formula ijj over / U O iff Af’s computation tree satisfies ijj. The problem of robust 
model checking is to determine, given M and ip, whether for every M' , the composition 
M|| M' satisfies ip (we assume that the reader is familiar with branching temporal logic. 
We refer here to the logics CTL, CTL* , and the /r-calculus |, »' D ). 

3 Robust Model Checking 

In this section we solve the robust-model-checking problem and study its complexity. 
Thus, given a module M and a branching temporal logic formula ip, we check whether 
for every M', the composition M||M' satisfies ip. We assume that M has finitely many 
states and allow M' to have infinitely many states. Nevertheless, we show that if some 
environment that violates ip exists, then there exists also a violating environment with 
finitely many states and a bounded branching degree. For a branching temporal logic 
formula ip, we denote by E{ip) the number of existential subformulas (subformulas of 
the form E^) in ip. It is known that £{ip) bounds the branching degree required in 
order to satisfy ip We now extend this result and show that, also in robust model 
checking, it suffices to consider environments of degree £ {ip). For an integer fc > 1, let 
[k] = fc}. 

Theorem 1. Consider a module M and a branching temporal logic formula ip over 
/U O. Let k = max{l, £{ip)}. If there exists M' such that M\\M' ^ ip, then there also 
exists M' of exact degree k such that M||M' ^ ip. 

Proof (sketch): Assume that M|jM' ^ ip for some M' . Thus, the computation tree 
(r, V) of M||M' satisfies ip. In order for that to be true, each node in (T, V) has to 
satisfy a set of subformulas of ip. Formally, there is a mapping V of T to sets of 
subformulas of ip such that ip G V'(e), and for every x G T, the set V'{x) contains 
formulas that hold in x, such that the labeling along paths that start at x is enough to 
“justify” V' {x). For example, if a node x is labeled by EXp, then at least one successor 
of X is labeled by p. Consider a node x. Some formulas in V'{x) impose on the paths 
starting at x universal requirements. To satisfy these requirements, x need not have 
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children (yet all the children that x does have, belong to paths that satisfy these universal 
requirements). In addition, some formulas in V'{x) impose on the paths starting at x at 
most k existential requirements. Each such requirement needs to be satisfied by some 
path starting at x, yet it does not have to be satished by more than one such path. 
Also, it may be that the existential requirements impose particular values on the input 
variables in the successors of x, and different existential requirements may impose the 
same value. Accordingly, we can prune some of the paths that start at x and satisfy the 
formulas in V'{x) with not more than k successors of x for each a G 2^, or by a single 
successor, in the case ^'(a;) contains no existential requirements. The pruned tree can 
therefore be obtained by taking the product of M with a module M" of degree k where 
M" is a suitable pruning of the infinite module obtained by unwinding M' . In order to 
get a module of exact degree fc, we can then duplicate some of the subtrees of M” . (For 
the / x-calculus, the proof is considerably more complicated and uses techniques from 

Ml.) □ 



In order to understand the difference between Theoremjand the classical “bounded- 
degree property” for branching temporal logic, recall that the theorem refers to the 
branching degree of the environment, rather than to that of the composition M\\M' . 
Consider, for example, a module M with an initial state that has two successors, one 
labeled p and one labeled ~^p. In order for M to satisfy the formula = EX{p A q) A 
EX{p A ~^q), for an input variable q, a split of the state labeled p is required. Though 
£('0) = 2, such a split results in a composition of branching degree 4. It can, however, 
be achieved by composing M with an environment M' of branching degree 2. Theo- 
rem^ shows that, though we may sometimes need the branching degree of M||M' to 
be bigger than £(0), it is sufficient to compose M with an environment of branching 
degree £{4’)- We now use Theorem^to show that the robust-satisfaction problem for 
branching temporal logics can be reduced to the emptiness problem for alternating tree 
automata. 



Theorem 2. Consider a module M and branching temporal logic formula tp over lUO. 
Let Aiii be the symmetric alternating tree automaton that corresponds to ip and let 
k = max{l,£(0)}. There is an alternating tree automaton Am, 4 ) over 2^ -labeled 
{2^ X [k])-trees such that 

1. C{Am,ip) E empty iffM robustly satisfies ~^ip. 

2. Am, ill ond Aip have the same acceptance condition. 

3. The size o/Am.^! E 0{\M\ ■ • k). 

Proof (sketch): Before we describe Am, ip, let us explain the difficulties in the con- 
struction and why alternation is so helpful solving them. The automaton Am, ip searches 
for a module M' of exact degree k for which M\\M' G £(Aip). The modules M and 
M' interact via the sets / and O of variables. Thus, M' does not know the state in which 
M is, and it only knows M’s output. Accordingly, not all {T, _L}-labeled {W x W')- 
trees are possible enabling trees of a product M||M'. Indeed, Am, ip needs to consider 
only trees in which the behavior of M' is consistent with its incomplete information: 
if two nodes have the same output history (history according to M”s incomplete infor- 
mation), then either they agree on their label (which can be either _L or a set of input 
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variables), or the two nodes are outcomes of two different nondeterministic choices that 
M' has taken along this input history. This consistency condition is non-regular and 
cannot be checked by an automaton |Q. It is this need, to restrict the set of candidate 
enabling trees to trees that meet some non-regular condition, that makes robust model 
checking in the branching paradigm so challenging. The solution is to consider, instead 
(W X Vk')-trees, (2*^ x [fc])-trees. Each node in such a tree may correspond to several 
nodes in a {W x Vk')-tree, all with the same output history. Then, alternation is used 
in order to make sure that while all these nodes agree on their labeling, each of them 
satisfy requirements that together guarantee the membership in Aip . 

Let M = (/, O, W, w®", z®", p, 7t). For w G W, a G 2^, and v G 2‘^, we define 

s(w, a, v) = {w' I w' G p{w, a) and Tr(w') = u}. 

That is, s(w, cr, v) contains all the states with output v that w moves to when it reads 
a. The definition of the automaton Am, 4 > can be viewed as an extension of the product 
alternating tree automaton obtained in the alternating-automata theoretic framework for 
branching time model checking Q. There, as we are concerned with model checking, 
there is a single computation tree with respect to which the formula is checked, and the 
automaton obtained is a 1 -letter automaton. The difficulty here, as we are concerned 
with robust model checking, is that there are many computation trees to check, so a 
1-letter automaton does not suffice. Let A = (2^^*^, Q, qo, S, a). We define Am, ip = 
{2^,Q',qo,S',a'), where 

- Q' — {go} U {W X Q). Intuitively, when the automaton is in state {w, q), it accepts 
all trees that are induced by an environment M' for which the composition with 
M with initial state w is accepted by A with initial state q. The initial state go 
corresponds to the state (w®", go), yet it also checks that the first input is z“. 

- The transition function S' : Q' x 2^ ^ B'^{{2'^ x [fc]) x Q') is defined as follows. 

• For all w, g, and a, the transition 6'{{w, g), a) is obtained from S{q, a U tt{w)) 
by replacing a conjunction Dg' by the conjunction 

A A A 

v£2^ jG[k] w' Gs{w ,(7,v) 



and replacing a disjunction Og' by the disjunction 

V V V 

j^[k] w' ^s{w ,(T,v) 

• For the initial state go, we define <5'(go, z*") = <5'((zn*", '0), z*”). For all a ^ 
z“, we define <5'(go, cr) = false. 

Consider, for example, a transition from the state {w,q). Let cr G 2^ be such that 
6{q, (j\jTr{w)) = DsAOf. The successors of w that are enabled with input cr should 
satisfy OsAOt. Thus, all these successors should satisfy s and at least one successor 
should satisfy t. The state w may have several successors in p{w, a) with the same 
output V G 2^ . These successors are indistinguishable by M' . Therefore, if M' 
behaves differently in such two successors, it is only because M' is in a different 
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State when it interacts with these successors. The number k bounds the number 
of states in p{w,a). Accordingly, M' can exhibit k different behaviors when it 
interacts with indistinguishable successors of w. For each j G \k], the automaton 
sends all the successors of w in s(w, a, v) to the same direction {v, j), where they 
are going to face the same future. Since S{q, a U tt{w)) = Ds A Of, a copy in state 
s is sent to all the successors, and a copy in state t is sent to some successor. Note 
that as M is deadlock free, the conjunctions and disjunctions in 6 cannot be empty. 
- a' is obtained from a by replacing every set participating in a by the set W x a. 

□ 

We now consider the complexity bounds for various branching temporal logics that 
follow from our algorithm. 

Theorem 3. Robust model checking is 

(1) EXPTIME-complete for CTL, p-calculus, and the alternation-free p,-calculus. 

(2) lEXPTIME-completefor CTL*. 

Proof (sketch): Consider a branching temporal logic formula of len gth n . Let 
be the symmetric alternating tree automaton that corresponds to ip- By EB , Atp is a 
Biichi automaton with 0{n) states for ip in CTL or in the alternation-free /r-calculus, 
A.^ is a parity automaton with 0{n) states and d sets in the acceptance condition for ip 
in /r-calculus with alternation depth d, and A,p is a Rabin automaton with states 
and 2 pairs in the acceptance condition for ip in CTL*. In Theorem^ we reduced the 
robust-model-checking problem of M with respect to ~^ip to the problem of checking 
the nonemptiness of the automaton -4 m, i/; , which is of size | M | • | A^^ \ ■ max{ 1,8 (ip)}, 
and which has the same type and size of acceptance condition as A^i, . The upper bounds 
then follow from the complexity of the nonemptiness problem for the various automata 






For the lower bounds, one can reduce the satisfiability problem for a branching 
temporal logic to the robust-model-checking problem for that logic. To see this, note 
that, by the “bounded-degree property” of branching temporal logic, a search for a 
satisfying model for ip can be reduced to a search for a satisfying 2^*^*^ -labeling of a 
tree with branching degree max{ 1,8 (ip)}. Then, one can relate the choice of the labels 
to choices made by the environment. □ 

The implementation complexity of robust model checking is the complexity of the 
problem in terms of the module, assuming that the specification is fixed. As we discuss 
in Section^ there are formulas for which robust model checking coincides with module 
checking with incomplete information. Since module checking with incomplete infor- 
mation is EXPTIME-hard already for CTL formulas of that type, it follows that the 
implementation complexity of robust model checking for CTL (and the other, more 
expressive, logics) is EXPTIME-complete. 

In our definition of robust satisfaction, we allow the environment to have infinitely 
many states. We now claim that finite environments are stro ng e nough. The proof is 
based on a “finite-model property” of tree automata, proven in | | for nondeterministic 

tree automata and extended in to alternating tree automata. As we discuss in 
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Section^ this result is of great importance in the dual paradigm of supervisory control, 
where instead of hostile environments we consider collaborative controllers. 

Theorem 4. Given a module M and a branching temporal logic formula '0, if there is 
an infinite module M' of degree k such that M\\M' satisfies ip, then there also exists a 
finite module M" of degree k such that M|jM" satisfies ip. 

The alternating-automata-theoretic approach to CTL and CTL* model checking is 
extended in ^3 to handle Fair-CTL and Fair-CTL* Q. Using the same extension, we 
can solve the problem of robust model checking also for handle modules augmented 
with fairness conditions. 

4 Universal and Mixed Formulas 

The study of verification of open system has motivated the use of universal temporal 
logic ^3- Formally, a formula ip is universal iff for every module M, if M satisfies 
Ip, then for every M', the composition M\\M' also satisfies ip. By the above definition, 
M satishes a universal property ip iff M robustly satisfies ip. In this section we show 
that the set of non-universal properties can be further partitioned into two classes, each 
with a different sensitivity to the robustness of the satisfaction. In addition, we study 
the complexity of classifying a CTL formula to its sensitivity class. We say that a CTL 
formula ip is mixed iff ip imposes both universal and existential properties in a nontrivial 
way. Thus, ip is mixed iff neither ip nor ~^ip is universal. We first show that formulas 
that are not mixed are insensitive to the environment being nondeterministic. 

Theorem 5. Consider a module M and a specification ip. If ip is not mixed, then M 
robustly satisfies ip ijfM\\M' ^ ip for every deterministic M' . 

Proof (sketch): Clearly, if M robustly satisfies ip, then M\\M' ^ ip for every deter- 
ministic M' . For the other direction, assume that ip is not mixed and that M\\M' ^ ip 
for every deterministic M' . We prove that then, M robustly satisfies ip. Thus, that 
M\\M' ^ Ip for every possibly nondeterministic M' . We distinguish between two 
cases. If Ip is universal, then, as M simulates M\\M' for every (possibly nondetermin- 
istic) M' , robust satisfaction coincides with usual satisfaction and we are done. If ip 
is existential, assume that there is a nondeterministic M' such that M\\M' does not 
satisfy ip. Let M" be any deterministic module obtained from M' by removing tran- 
sitions. Since M' simulates M" , the composition M\\M' simulates the composition 
M\\M” ^3' Therefore, as ip is existential, it must be that M\\M” does not satisfy ip 
as well. □ 

Thus, to robustly model check formulas that are not mixed, one can use the method 
of module checking with incomplete information 33 ■ We now study the problems of 
determining whether a given CTL formula is universal (or existential) or mixed, and 
show that they are all EXPTIME-complete. 

Theorem 6. Given a CTL formula ip, checking whether ip is universal is EXPTIME- 
complete. 
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Proof (sketch): For a set T of trees and an integer k, we define reshape{T, k) as the 
set of trees obtained from trees in T by prunings or duplications of subtrees, so that each 
node has at most k successors. Given a CTL formula tp, let k = max{l, f (t/;)}, and let 
T be the set of trees of branching degree k that satisfy ip. It can be shown that the for- 
mula Ip is universal iff reshape{T) C T. Given ip, let Atp be a nondeterministic Buchi 
automation for ip', that is, = T. By “reshaping” the transition function of we 

can define a nondeterministic Biichi automaton such that £(,4^) = reshape{T , k). 
Then, ip is universal iff C{A'.,p) C C{A-^). In order to check the latter, we check the 
nonemptiness of C{A'.^) H Since both and A^^tp are exponential in \ip\, 

and the nonemptiness check is polynomial, the EXPTIME upper bound follows. 

For the lower bound, we do a reduction from alternating linear-space Turing ma- 
chines. Given a machine T, we construct a CTL formula ip such that ip is universal iff 
the machine T does not accept the empty tape. Typically, ip is satisfied in a tree iff the 
tree does not represent an accepting computation tree of T on the empty tape. We can 
define ip that is polynomial in T. One can then prove that the machine T rejects the 
empty tape iff ip = true, and that ip = true iff ip is universal. □ 



Theorem 7. Given a CTL formula ip, checking 'whether ip is mixed is EXPTIME- 
complete. 

Proof (sketch): Since ip is mixed iff both ip and ^ip are non-universal, the upper 
bound follows from Theorem^ The lower bound is similar to the one in Theorem^ 
only that now we prove that ip is mixed iff the machine T accepts the empty tape. To 
prove this, we replace the second claim in the proof of TheoremHwith the claim that 
Ip = true iff Ip is not mixed. □ 

5 Related Work and Discussion 

Different researchers have considered the problem of reasoning about open systems. 
The distinction, in between closed and open systems first led to the realization that 
synthesis of open systems corresponds to a search for a winning strategy in a game be- 
tween the system and the environment in which the winning condition is expressed 

in terms of a linear temporal logic formula. Transformation of the game-theoretic ap- 
proach to model checking and adjustment of verification methods to the open-system 
setting started, for linear temporal logic, with the problem of receptiveness 
Essentially, the receptiveness problem is to determine whether every finite prefix of a 
computation of a given open system can be extended to an infinite computation that 
satisfies a linear temporal property irrespective of the behavior of the environment. In 
module checking ^ 3 , the setting is again game-theoretic: an open system is required to 
satisfy a branching temporal property no matter how the environment disables its transi- 
tions. Verification of open systems was formulated in terms of a game between agents in 
a multi-agent system in [][]. Alternating-time temporal logic, introduced there, enables 
path quantifiers to range over computations that a team of agents can force the system 
into, and thus enables the specification of multi-agent systems. In particular, ATE and 
ATE* are the alternating-time versions of CTL and CTL*, respectively. 
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Unlike Q, in which all the agents of the system are specified, our setting here as- 
sumes that only one agent, namely the system, is given. We ask whether there exists 
another agent, namely the environment, which is not yet known, such that the compo- 
sition of the system and the environment violates a required property. Thus, while the 
outcome of the games that correspond to alternating temporal logic are computations, 
here the outcomes are tree J The unknown environment may he nondeterministic, thus 
the branching structure of the trees is not necessarily a restriction of the branching 
structure of the system. Since the properties we check are branching, the latter point is 
crucial. As follows from the 2EXPTIME lower bounds for both ATE* model checking 
and CTL* robust model checking, verification of general properties of open systems is 
“robustly hard”. Exceptions are universal properties, for which robust satisfaction co- 
incides with usual satisfaction, as well as properties that can be specified in the logic 
ATE. Indeed, the logic ATE identifies a class of properties for open systems for which 
it suffices to solve iterated finite games, which can be done in linear time. 

Robust satisfaction is closely related to supervisory control WY Given a finite- 
state machine whose transitions are partitioned into controllable and uncontrollable, 
and a specification for the machine, the control problem requires the construction of a 
controller that chooses the controllable transitions so that the machine always satisfies 
the specification. Clearly, checking whether all the compositions M\\M' of a system 
M with an environment M' satisfies a property tp is dual to checking whether there is 
a controller M' such that M\\M' satisfy the property ->'0- Thus, from a control-theory 
point of view, the results of this paper generalize known supervisory-control methods to 
the case where both the system and the controller are nondeterministic Moore machines. 
In particular, our results imply that nondeterministic controllers are more powerful than 
deterministic ones, and describe how to synthesize finite-state controllers. 

Often, the requirement that M satisfies ip in all environments is too restrictive, and 
we are really concerned in the satisfaction of ip in compositions of M with environ- 
ments about which some assumptions are known. In the assume- guarantee paradigm 
to verification, each specification is a pair {p, ip), and M satisfies {(p, ip) iff for every 
M' , if M\\M' satisfies p, then M||M' also satisfies ip. When ip and ip are given in lin- 
ear t emp oral logic, M satisfies {p, ip) iff M satisfies the implication p ^ ip [ y j] (see 
also ^9). The situation is different in the branching paradigm. For universal temporal 
logic, M satisfies {p, ip) iff ip is satisfied in the composition M\\M^p, of M with a mod- 



ule that embodies all the behaviors that satisfy p 



For general branching 



temporal logic, the above is no longer valid. Robust model checking can be viewed as a 
special case of the assume-guarantee setting, where p is true. Robust model checking, 
however, can be used to solve the general assume-guarantee setting. Indeed, M satisfies 
{p, Ip) iff M robustly satisfies the implication p ^ ip. Thus, while in the linear frame- 
work the assume-guarantee paradigm corresponds to usual model checking, robustness 
is required in the branching framework. 

Since assumptions about the environment and its interaction with the systems are 
natural part of the specification in robust model checking, the model studied in this 
paper subsumes extensions that can be expressed in terms properties of the environment 
and its interaction with the system. For example, recall that our compositions here are 



Game logic | considers games in which the output are trees, yet both players are known. 
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deadlock free, thus deadlock is modeled by entering some “bad” state. In order to check 
that M satisfies a property ip in all the compositions M\\M' in which this bad state is 
not reachable, we have to perform robust model checking of M with respect to the 
property {AGO) ip, with 0 = ~^bad, assuming that the bad state is labeled by bad. In 
a similar way, we can specify in 9 other global assumptions about the composition, and 
thus model settings that support handshaking or other forms of coordinations between 
processes, as well as more general global actions, as in | ' r |. 
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Abstract. Statecharts is a visual language for specifying the behavior of 
reactive systems. The language extends finite-state machines with con- 
cepts of hierarchy, concurrency, and priority. Despite its popularity as a 
design notation for embedded systems, precisely defining its semantics has 
proved extremely challenging. In this paper, we present a simple process 
algebra, called Statecharts Process Language (SPL), which is expressive 
enough for encoding Statecharts in a structure-preserving and semantics- 
preserving manner. We also establish that the behavioral equivalence 
bisimulation, when applied to SPL, preserves Statecharts semantics. 



1 Introduction 

Statecharts is a visual language for specifying the behavior of reactive sys- 
tems Q. The language extends the notation of finite-state machines with con- 
cepts of (i) hierarchy, so that one may speak of a state as having sub-states, 
(ii) concurrency, thereby allowing the definition of systems having simultane- 
ously active subsystems, and (iii) priority, so that one may express that certain 
system activities have precedence over others. Statecharts has become popu- 
lar among engineers as a design notation for embedded systems, and commer- 
cially available tools provide support for it Q. Nevertheless, precisely defin- 
ing its semantics has proved extremely challenging, with a variety of propos- 
als B H H ^3 ^3 ^9 ^3 ^3 deing offered for several dialects of the 
language. The semantic subtlety of Statecharts arises from the language’s ca- 
pability for defining transitions whose enabledness disables other transitions. A 
Statechart may react to an event by engaging in an enabled transition, thereby 
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performing a so-called micro step, which may generate new events that may in 
turn trigger new transitions while disabling others. When this chain reaction 
comes to a halt, one execution step - also referred to as a macro step - is com- 
plete. At a technical level, the difficulty for defining an operational semantics 
capturing the “macro-step” behavior of Statecharts arises from the fact that such 
a semantics should exhibit the following desirable properties: (i) the synchrony 
hypothesis which guarantees that a reaction to an external event terminates 
before the next event enters the system, (ii) eompositionality, which ensures that 
the semantics of a Statechart is defined in terms of the semantics of its compo- 
nents, and (iii) causality, which demands that the participation of each transition 
in a macro step must be causally justified. Huizing and Gerth showed that an 
operational semantics in which transitions are labeled purely by sets of events - 
i.e., the “observations” a user would make - cannot be given, if one wishes all 
three properties to hold Q. In fact, the traditional semantics of Statecharts - 
as defined by Pnueli and Shalev Q - satisfies the synchrony hypothesis and 
causality, but is not compositional. Other approaches, e.g. have achieved 
all three goals, but at the expense of including complex information regarding 
causality in transition labels. 

While not as well-established in practice, process algebras offer 

many of the semantic advantages that have proved elusive in Statecharts. In 
general, these theories are operational, and place heavy emphasis on issues of 
eompositionality through the study of congruence relations. Many of the be- 
havioral aspects of Statecharts have also been studied for process algebras. For 
example, the synchrony hypothesis is related to the maximal progress assumption 
developed in timed process algebras ^3^9- these algebras, event transitions 
and “clock” transitions are distinguished, with only the latter representing the 
advance of time. Maximal progress then ensures that time may proceed only if 
the system under consideration cannot engage in internal computation. Clocks 
may therefore be viewed as “bundling” sequences of event transitions, which may 
be thought of as analogous to “micro steps,” into a single “time step,” which 
may be seen as a “macro step.” The concept of priority has also been studied in 
process-algebraic settings 9, and the Statecharts hierarchy operator is related 
to the disabling operator of LOTOS Q. 

In this paper, we present a new, process-algebraic semantics of Statecharts. 
Our approach synthesizes the observations above; specifically, we present a new 
process algebra, called Statecharts Process Language (SPL), and we show that it 
is expressive enough for embedding several Statecharts variants. SPL is inspired 
by Hennessy and Regan’s Timed Process Language (TPL) 33 which extends 
Milner’s CCS 33 t>y the concept of an abstract, global clock. Our algebra re- 
places the handshake communication of TPL by a multi- event eommunieation, 
and introduces a mechanism to specify priority among transitions as well as a hi- 
erarchy operator 33- The operational semantics of SPL uses SOS rules to define 
a transition relation whose elements are labeled with simple sets of events; then, 
using traditional process-algebraic results we show that SPL has a compositional 
semantic theory based on bisimulation ^3- We connect SPL with Statecharts by 
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embedding the variant of the language considered by Maggiolo-Schettini et al. 
in More precisely, we define a compositional translation from Statecharts 
to SPL that preserves the macro-step semantics of the former. This result de- 
pends crucially on our treatment of the SPL macro-step transition relation as a 
derived one: the standard SPL transition relation becomes in essence a micro- 
step semantics. Thus, while our macro-step semantics cannot be compositional 
(cf. the result of Huizing and Gerth we obtain a compositional theory, in 

the form of a semantic congruence, at a lower, micro-step level. In addition to 
the usual benefits conferred by compositional reasoning, this semantics has a 
practical advantage: given the unavoidable complexity of inferring macro steps, 
actual users of Statecharts would benefit from a finer-grained semantics that 
helps them understand how the macro steps of their systems are arrived at. 



2 Statecharts 

Statecharts is a specification language for reactive systems, i.e., concurrent sys- 
tems which are characterized by their ongoing interaction with their environ- 
ment. They subsume finite state machines whose transitions are labeled by pairs 
of events, where the first component is referred to as trigger and may include 
negated events, and the second component is referred to as action. Intuitively, if 
the environment offers the events in the trigger, but not the negated ones, then 
the transition is triggered; it fires, thereby producing the events in the label’s 
action. Concurrency is achieved by allowing Statecharts to be composed from 
more simple ones running in parallel, which may communicate via broadcast- 
ing events. Elementary, or basic states in Statecharts may also be hierarchically 
refined by injecting other Statecharts. 

As an example, consider the Stat- 
echart depicted to the right. It con- 
sists of a so-called and-state, labeled 
by ng, which denotes the parallel com- 
position of the two Statecharts labeled 
by ri3 and ns. Actually, ns and ng are 
the names of or-states, describing se- 
quential state machines. The first con- 
sists of two states n\ and ng that are 
connected via transition ti with la- 
bel ^ajb. The label specifies that ti is 
triggered by ~^a, i.e., by the absence 
of event a, and produces event b. States ni and ng are not refined further and, 
therefore, are referred to as basic states. Or-state ng is refined by or-state ng and 
basic state ny, connected via a transition labeled by b/a. Or-state ng is further 
refined by basic states n4 and ng, and transition tg labeled by b/c. The vari- 
ant of Statecharts considered here does not include interlevel transitions - i.e., 
transitions crossing borderlines of states - and state references - i.e., triggers 
of the form in„, where n is a state name. Moreover, state hierarchy does not 




Fig. 1. Example Statechart 
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impose implicit priorities on transitions. The impact of altering our approach to 
accommodate these concepts is discussed in Sec.fl 



Table 1. States and transitions of Statecharts terms 

states([nj) := |n| states([n : s; T\) |n| U Ujstates(si) | 1 < i < fcj 

states([n : sj) := {n} U U{states(si) | 1 < * < A:} 
trans([n]) := 0 trans([n ■. s;l;T]) ■.= TU U{trans(si) | 1 < * < A:} 

trans([n : s]) U{trans(si) | 1 < * < A:} 



For our purposes, it is convenient to represent Statecharts not visually but 
by terms. This is also done in related work we closely follow Q. 

Formally, let Af be a countable set of names for Statecharts states, T be a 
countable set of names for Statecharts transitions, and iT be a countable set of 
Statecharts events. Moreover, we associate with every event e G 7T its negated 
counterpart ^e. We also lift negation to negated events by defining ->->e := e. 
Finally, we write for {->e | e G E}. Then, the set of Statecharts terms is 
defined to be the least set satisfying the following rules. 

1. Basic state: If n G Af, then s = [n] is a Statecharts term. 

2. Or-state: If n G Af, si, . . . ,Sk are Statecharts terms, k > 0, p = {1, . . . , A;}, 

T CT X p X x2^ X p, and 1 < / < fc, then s = [n : (si , . . . , Sk);l',T] 

is a Statecharts term. Here, si, . . . ,Sk are the sub-states of s, and T is the 
set of transitions between these states. Statechart si is the default state of 
s, while Si is the currently active state. 

3. And-state: If n G A/" and if si, . . . , Sfc are Statecharts terms for A; > 0, then 
s = [n : (si, . . . , Sfc)] is a Statecharts term. 

We refer to n as the root of s and write root(s) n. If A = {t,i, E, A, j) G T 
is a transition of or-state [n : (si,... ,Sk);l;T], then we define name(A) := t, 
out(A) := Si, ev(A) := E, act(A) := A, and in(A) := sj. We write SC for the 
set of Statecharts terms, in which (i) all state names and transition names are 
mutually disjoint, (ii) no transition t produces an event that contradicts its 
trigger, i.e., ev(A) n ^act(A) = 0, and (iii) no transition t produces an event that 
is included in its trigger, i.e., ev(A) n act(A) = 0. As a consequence of (i), states 
and transitions in Statecharts terms are uniquely referred to by their names. 
Therefore, we may identify a Statecharts state s and transition t with its name 
root(s) and name(A), respectively. The sets states(s) and trans(s) of all states 
and transitions of s are inductively defined on the structure of s, as depicted in 
TableH where s = (si, . . . , Sfc). Finally, let us return to our example Statechart 



in Fig.J anc 


present it as 


a Statecharts term sg G SC. We choose 7T := 


{a, b, c 


Af := 


{ni,ri2 


, . . . , ng}, and T := 


{tl,t2, ts}. 




sg 


:= [ng : 


(S3,ss)] S3 


= [ns 


(si, Sg); 1; {{ti, 1, {^a}, {6}, 2)}] si 


= [ni] 


S2 


:= [n2] 


S8 


= [JT’S 


(s 6,S7);1;{(A3,6,{5}, {a},7)}] sy 


= [nr] 


S4 


:= H 


S6 


= [ne 


(s 4,S5);1;{(A2,4, {5}, {c},5)}] ss 


= [ns] 
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In the remainder of this section, we formally present the semantics of Stat- 
echarts terms as is defined in which is a slight variant of the “traditional” 
semantics proposed by Pnueli and Shalev More precisely, this semantics 
differs from in that it does not allow the step-construction function, which 
we present below, to fail. The semantics of a Statecharts term s is a transi- 
tion system, whose states and transitions are referred to as configurations and 
macro steps, respectively. Configurations of s are usually sets conf(s) of names 
of states which are currently active We define conf(s) along the structure 
of s: (i) conf([n]) := {n}, (ii) conf([n : (si, . . . , Sk); 1; T]) := {n} U conf(s/), and 
(iii) conf([n : (si, . . . , Sfc)]) := {n} U lJ{conf(si) \ l < i < k}. However, for our 
purposes it is more convenient to use Statecharts terms for configurations, as 
every or-state contains a reference to its active sub-state. Consequently, the 
default configuration default(s) of Statecharts term s may be defined induc- 
tively as follows: (i) default([n]) := [n], (ii) default([n : (si , . . . , Sfc); T]) := 
[n : (default(si), . . . , default(sfc)); 1; r], and (iii) default([n : (si, . . . , Sfc)]) := 
[n : (default(si), . . . , default(sfc))]. As mentioned before, a Statechart reacts to 
the arrival of some external events by triggering enabled micro steps, possibly in 
a chain-reaction-like manner, thereby performing a macro step. More precisely, a 
macro step comprises a maximal set of micro steps, or transitions, that are trig- 
gered by events offered by the environment or generated by other micro steps, 
that are mutually consistent, compatible, and relevant, and that obey causal- 
ity. The Statecharts principle of global consistency, which prohibits an event to 
be present and absent in the same macro step, is subsumed by triggered and 
compatible. In the following, we formally introduce the above notions. 



Table 2. Step-construction function 

function step-construction(s, E)\ var T := 0; 

while T C enabled(s, E, T) do choose t € enabled(s, E,T) \ T; T := TU {t} od; 
return T 



A transition t G trans(s) is consistent with all transitions in T C trans(s), 
in signs t G consistent(s, T), if t is not in the same parallel component as any 
transition in T. Formally, consistent(s, T) := {t G trans(s) | Vt' G T. tEgt'}. Here, 
we write tTgt', if t f , or if there exists an and-state [n : (si, . . . , Sfc)] in s, i.e., 
n G states(s), such that t G trans(si) and t' G trans(sj) for some 1 < z,j < fc 
satisfying i j. A transition t G trans(s) is compatible to all transitions in 
T C trans(s), in signs t G compatible(s, T), if no event produced by t ap- 
pears negated in a trigger of a transition in T. Formally, compatible(s, T) := 
{t G trans(s) | Vt' G T. act(t) n ^ev(F) = 0}. A transition t G trans(s) is relevant 
for s, in signs t G relevant(s), if the root of the source state of t is in the configura- 
tion of s. Formally, relevant(s) := {t G trans(s) | root(out(t)) G conf(s)}. A tran- 
sition t G trans(s) is triggered by a set E of events, in signs t G thggered(s, E), 
if the positive, but not the negative, trigger events of t are in E. Formally, 
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triggered(s, E) ;= {t S trans(s) | ev(i) CMI C E and ^(ev(i) n ^7T) (^E = %}. Fi- 
nally, t is enabled in s regarding a set E of events and a set T of transitions, 
if t G enabled(s, E, T), where enabled(s, E, T) := relevant(s) n consistent(s, T) n 
triggered(s, E U UteT 3ct(t)) n compatible(s, T). Unfortunately, this formalism is 
still not rich enough to eausally justify the triggering of each transition. The 
principle of eausality may be introduced by computing macro steps, i.e., sets 
of transition names, using the nondeterministic step-eonstruction function pre- 
sented in TableJ This function is adopted from where also its soundness 
and completeness relative to the classical approach via the notion of inseparabil- 
ity of transitions Q are stated. Note that the maximality of each macro step 
implements the synchrony hypothesis of Statecharts. The set of all macro steps 
that can be constructed using function step -construction, relative to a State- 
charts term s and a set E of environment events, is denoted by step(s, E) C 2^. 



Table 3. Function update 

update([n], r') := [n] update([n : s], T') := [n : (update(si, Ti), . . . , update(sfe, Tj,))] 

update([n : s; b T], TO •= 

{ [n:s;l-T] if T' = 0 

[n : (si, . . . , update(si, r'), . . . , Sfc); l\ T] if 0 7 ^ T' C trans(s;) 

[n : (si, . . . , default(sm), . . . , Sfc); m; T] if 0 7 ^ T' = {{t' , I, E, A, m}} C T 
[n] otherwise 



For a set r G step(s, U), Statecharts term s may evolve in a macro step to 
term s' := update(s, T) when triggered by the environment events in E and, 
thereby, produce the events A := lj{act(f) 1 1 G T}. We denote this macro step 

B _ 

by s^* s' . The function update is defined in Tabled where s := (si, . . . , Sk) 
and Ti := T' n trans(si), for 1 < z < fc. Observe that at most one transition of 
T may be enabled at the top-level of an or-state; thus, the “otherwise” case in 
Tableflcannot occur in our context. Intuitively, update(s, T), when T C trans(s), 
re-defines the active states of s, when the transitions in T are executed. 

3 Process-Algebraic Framework 

Our process-algebraic framework is inspired by timed process calculi, such as Hen- 
nessy and Regan’s TPL Q. The Statecharts Process Language (SPL), which we 
intend to develop, includes a special action a denoting the ticking of a global 
clock. SPL’s semantic framework is based on a notion of transition system that in- 
volves two kinds of transitions, action transitions and clock transitions, modeling 
two different mechanisms of communication and synchronization in concurrent 
systems. The role of actions correspond to the one of events in Statecharts. A 
clock represents the progress of time, which manifests itself in a recurrent global 
synchronization event, the clock transition, in which all process components are 
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forced to take part. However, action and clock transitions are not orthogonal 
concepts but are connected via the maximal progress assumption . Max- 

imal progress implies that progress of time is determined by the completion 
of internal computations and, thus, mimics Statecharts’ synchrony hypothesis. 
The key idea for embedding Statecharts terms in a timed process algebra is to 
represent a macro step as a sequence of micro steps that is enclosed by clock 
transitions, signaling the beginning and the end of the macro step, respectively. 
This sequence implicitly encodes causality and leads to a compositional State- 
charts semantics. Unfortunately, existing timed process algebras are - in their 
original form ~ not suitable for embedding Statecharts. The reason is that Stat- 
echarts transitions may be labeled by multiple events and that some events may 
appear negated. The former feature implies that, in contrast to standard process 
algebras processes may be forced to synchronize on more than one 

event simultaneously, and the latter feature is similar to mechanisms for han- 
dling priority Q]. Our framework must also include an operator similar to the 
disabling operator of LOTOS Q for resembling state hierarchy 

Formally, let A be a countable set of events or ports, and let cr ^ A be the 
distinguished clock event or clock tick. We define input actions to be of the form 
{E,N), where E,N C A, and output actions E to be subsets of A. In case of 
the input action (0, 0), we speak of an unobservable or internal action, which is 
also denoted by •. We let A stand for the set of all input actions. In contrast to 
CCS the syntax of SPL includes two different operators for dealing with in- 
put and output actions, respectively. The prefix operator “{E, iV).” only permits 
prefixing with respect to input actions, which are instantly consumed in a single 
step. Output actions E are signaled to the environment of a process by attaching 
them to the process via the signal operator “[if](T(-).” They remain visible until 
the next clock tick a occurs. The syntax of SPL is given by the following BNF 

P ::= 0 I X I {E, N).P \ [E]a{P) \ P + P\P>P\P>,,P\P\P\P\L 
where L C T is a restriction set, and X is a process variable taken from some 

def 

countable domain V. We also allow the definition of equations X = P, where 
variable X is assigned to term P. If X occurs as a subterm of P, we say that X is 
recursively defined. We adopt the usual definitions for open and closed terms and 
guarded recursion, and refer to the closed and guarded terms as processes 
Moreover, we let V, ranged over by P and Q, denote the set of all processes. 
Finally, the operators t> and [>o-, called disabling and enabling operator, respec- 
tively, allow us to model state hierarchy, as is illustrated below. 

The operational semantics of an SPL process P G V is given by a labeled 
transition system {V,AU {a}, — *,P), where V is the set of states, A Li {a} 
the alphabet, — > the transition relation, and P the start state. We refer to 
transitions with labels in A as action transitions and to those with label a 
as clock transitions. For the sake of simplicity, we write (i) P P' instead of 

{P, {E, N), P') e — !■ and (ii) P p' instead of {P, a, P') G — >. We say that 
P may engage in a transition labeled by {E, N) or a, respectively, and thereafter 
behave like process P' . The transition relation is defined in TablesHandHusing 
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operational rules. In contrast to CCS our framework does not provide a 
concept of output action transitions, such that “matching” input and output ac- 
tion transitions synchronize with each other and, thereby, simultaneously change 
states. Instead, output actions are attached to SPL processes via the signal op- 
erator. In order to present our communication mechanism, we need to introduce 
initial output action sets, II(C’), for P € V. These are defined as the least sets 
satisfying the equations in Table J (upper part). Intuitively, II(T’) collects all 
events which are initially offered by P. 



Table 4. Initial output action sets & operational semantics (action transitions) 



II([i;]cr(P)) = E -K(P + Q) = I(P) u I(Q) 
I(P I Q) = I(P) U I(Q) 
I(P > Q) = I(P) U I(Q) 



II(X) =H(f’) ifX^P 
I(P\P) =I(P)\L 
n(P Q) = n(P) 



Act 



{E,N).P^P 



Rec 



En 



p , p' 

^ N ^ def 



E 

X-^P' 



X = P 



p — p' 
Suml tL^— 



P — P' 

N 



P Q-;pP' Q 



Disl ■ 



P — P' 

N 

P > Q P' Q 



Sum2 



Dis2 



P + Q-^P' 

Q-^Q' 

P + Q Q' 

Q-^Q' 

P> Q^Q' 



Pari . 



P — P' 

N 



, -EXICQ) 

P\Q P'\Q 



NnMQ) = 0 



Par2- 



QirQ' 



E\J(P) 

P\Q IE P\Q' 



NnJt{P) = 0 



Res 



P — P' 

N 

P\L^P’\L 

' N\L ' 



PnP = 



The semantics for action transitions, depicted in Table J (lower part), is 

set up such that P — >P' means: P can evolve to P', if the environment offers 
communications on all ports in E, but none on any port in N. More precisely, 
process {E, N).P may engage in input action {E, N) and then behave like P. The 
summation operator -P denotes nondeterministic choice, i.e., process P + Q may 
either behave like P or Q. Process P \ Q stands for the parallel eomposition of P 
and Q according to an interleaving semantics with synchronization on common 
ports. Rule Pari describes the interaction of process P with its environment Q. If 
P can engage in a transition labeled by {E, N) to P' , then P and Q synchronize 
on the events in EDi{Q), provided that Q does not offer a communication on a 
port in N, i.e., iVnll(Q) = 0 holds. In this case, P \ Q can engage in a transition 
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labeled by {E\JL{Q),N) to P'\Q. Rule Par2 deals with the symmetric case, 
where the roles of P and Q are interchanged. The semantics of the disabling 
and enabling operators are tightly connected. Process P {> Q may behave as 
Q, thereby permanently disabling P, or as P \>„ Q. In the latter case only P 
may proceed, and Q is disabled until the next clock tick arrives. This allows for 
modeling Statecharts or-states, where process P is on a lower level than Q. The 
restriction operator \L encapsulates all ports in L. Rule Res states that process 
P \ L can only engage in an action transition labeled by {E, N), if there is no 

event in E, which is restricted by L. Moreover, the events in L may be eliminated 

d©f 

from N. Finally, process variable X, where X = P, is identified with a process 
that behaves as a distinguished solution of the equation X = P. 



Table 5. Operational semantics (clock transitions) 



tNil 



tAct 



tPar 



tDis 



tRes 



{E,N).P- 

P ^ P' 

P\Q — 

P ^ P' 
P>Q — 

P^ 

P\L^ 



^ {E,N).P 

Q^Q' ^ 

^ P' I O' 

Q^Q' 
*P' \>Q' 



{E,N)^, 

^i(R|0) 



p( 

P'\L 



l(P\L) 



tOut 



tSum 



tEn 



tRec 



\E]o{P) ^ P 

P^P' Q^Q' 
P + Q^P' + Q' 



P ^ P' 

P Q P' > Q 




The operational rules for clock transitions deal with the maximal progress 
assumption, i.e., if • G I(P) := {{E,N) \ 3P' . P P'}, then a clock tick a is 
inhibited. The reason that transitions other than labeled by • do not have pre- 
emptive power is that these only indicate the potential of progress, whereas • 
denotes real progress in our framework. Rule tNil states that inaction process 
0 can idle forever. Similarly, process {E,N).P may idle for clock a, whenever 
{E,N) yf •. The signal operator in [E]a{P), which offers communications on 
the ports in E to its environment, disappears as soon as the next clock tick 
arrives and, thereby, enables P. Time has to proceed equally on both sides of 
summation, parallel composition, and disabling, i.e., P + Q, P\Q, and P \> Q 
can engage in a clock transition if and only if both P and Q can. The side 
condition of Rule tPar implements maximal progress and states that there is no 
pending communication between P and Q. The reason for the side condition 
in Rule tRes is that the restriction operator may turn observable input actions 
into the internal, unobservable input action • (cf. Rule tRes) and, thereby, may 
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pre-empt the considered clock transition. Finally, Rule tEn states that a clock 
tick switches the enabling operator to the disabling operator. 

The operational semantics for SPL possesses several pleasant algebraic prop- 
erties which are known from various timed process algebras such as 

(i) the idling property, i.e., • ^ I(P) implies 3P'.P P', for all P G V, 

(ii) the maximal progress property, i.e., 3P' . P — ^ P' implies • ^ I(R), for all 
P £ P, and (iii) the time determinacy property, i.e., P P' and P P" 
implies P' = P" , for all P, P' , P" £ V. Moreover, the summation and parallel 
operators are associative and commutative. The well-known behavioral equiva- 
lence bisimulation may be adapted to cater for SPL as follows. Other work 
can be used for establishing that it is a well-defined congruence for SPL 

Definition 1 (Bisimulation). Bisimulation equivalence, ~ C P x P, is the 
largest symmetric relation such that for P ^ Q the following conditions hold. 

1. I(P) CI(Q) 2. IfP^P' then3Q' £P. Q-^Q' and P' Q' . 

4 Embedding of Statecharts 

In this section we present an embedding of Statecharts in SPL, which is a map- 
ping |-] from Statecharts terms to processes defined by (mutually recursive) 
equations. Although SPL’s semantics is defined on a “micro-step level,” SPL al- 
lows us to encode the synchrony hypothesis of Statecharts by using maximal 
progress. More precisely, a macro step in Statecharts semantics corresponds to a 
sequence of SPL action transitions which is enclosed by clock transitions. These 
sequences implicitly contain the causal order inherent in a Statecharts macro 
step. Formally, we choose 7T U ^7T for the set A of ports and N£>{h\n £ A/"} U T 
for the set V of process variables. We define the embedding |-] inductively along 
the structure of Statecharts terms, where X) is the indexed version of -L satisfying 
Sig0 Pi ■= 0- 

1. If s = [n], then |s] := n where n h =^0. 

2. If s = [n : (si, . . . , Sfc); 1; T] and Ui = root(si), for 1 < i < k, then |s] := n, 

where n hi and hi Ui > \ t & P uud out(t) = Si}, together with 

the equations of |si], . . . , |sfc]. Please see below for the translation {[t]} of t. 

3. If s = [n : (si, . . . , Sfc)], then |s] := n and n h root(si) | | root(sfc), 

together with the equations of |si], . . . , |sfc]. 

Semantically, a basic state corresponds to inaction process 0, whereas an or-state 
can either behave according to the embedding of the currently active state s/ , or 
it may exit s/ by engaging in a transition t £ T with out(t) = s/. Observe that an 
or-state is mapped using the disabling operator. The translation of an and-state 
maps its component states to the parallel composition of the processes resulting 
from the translations of each of these states. The interesting part of the definition 
of I'] is the translation {[t]} of a transition {t,i,E,A,j). In the following, E' 
stands for Enn and N' for ~^{E n ^U) U ^A. We define {[t]} := (A', N').t where 
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t = {A[J (E r\ ^n)\(j{hj). The translation splits a transition (t, i, E, A, j) in two 
parts, one handling its trigger E and one executing its action A. In order for t 
to trigger, all positive events in E must be offered by the environment, and all 
negative events in E must be absent. However, there is one more thing we have 
to obey: global consistency. Especially, we must ensure that there is no previous 
transition in the same macro step, which has fired because of the absence of 
an event in A. Therefore, to prevent t from triggering, we include a distinguished 
event ->e, where e G A, in the set N' of {[t]}, and we make sure that ~^e is offered 
when t' triggers. Hence, {[t]} can evolve via a SPL transition labeled by (E', N') to 
process t, whenever the trigger of t is satisfied according to Statecharts semantics 
and whenever global consistency is preserved. Process t signals that transition t 
has fired by offering the events in A as well as the already mentioned negated 
events ->e for ~^e G E H ^7T. These events are offered until the current macro 
step is completed, i.e., until a clock transition is executed. Thus, SPL’s two-level 
semantics of action and clock transitions allows for broadcasting events using 
SPL’s synchronization mechanism and SPL’s maximal progress assumption. 



Table 6. Embedding of the Example Statechart 
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= ns 
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0 




[stI = 


= nr 


def 


hr 








We now return to our introductory example by presenting its formal trans- 
lation to SPL in TableJ left-hand side. The embedding’s operational semantics 
is depicted on the right-hand side of TableJ where £2 =^^2 >a ({^}j {^®})-^3) 
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and h = 0 [> ({ 5 }, {^a}).i3. Moreover, the initial output action set I(P), for 
some P G V, is denoted next to the ellipse symbolizing state P, and the sets 
-/V' appearing in the label of transitions are underlined in order to distinguish 
them from the sets E' . Let us have a closer look at the leftmost path of the 
transition system, passing the states (ris | ns), (ti | ns), (ti | ^2), (0 | h), (0 | ts), 
and (0 I 0). The first three states are separated from the last three states by a 
clock transition. Hence, the considered sequence corresponds to two “potential” 
macro steps. We say “potential,” since macro steps only emerge when composing 
our Statecharts embedding with an environment which triggers macro steps. The 
events needed to trigger the transitions and the actions produced by them can 
be extracted from a macro-step sequence as follows. For obtaining the trigger, 
consider all transition labels {E, N) occurring in the sequence, add up all events 
in components E, and include the negations of all positive events in components 
N. Regarding the generated actions, consider the set of positive events in the ini- 
tial output action sets of the states preceding the clock transition which signals 
the end of the macro step. Thus, the first potential macro step of the example 
sequence is triggered by and produces events b and c, whereas the second is 
triggered by b and produces a. The state names along a sequence also indicate, 
which transitions have fired. More precisely, whenever a state includes a variable 
t € T at its top-level, transition t participates in the current macro step. Thus, 
for the first potential macro step transitions ti and t 2 are chosen, whereas the 
second consists of transition ts only. Note that ts is not enabled in states {ti \ ns) 
or (ti I £2), since event is in their initial output action sets and a G act(t3). 
Hence, our embedding respects global consistency, which prohibits ti and ts to 
occur in the same macro step. 

5 Semantic Correspondence 

For formalizing the semantic relation between Statecharts terms and their SPL 
embeddings, we define a notion of SPL macro steps by combining several tran- 
sitions to a single step, as outlined in the previous section. We write P ^ P' 

if 3 P" G V. (EnvB \P)\A ^ *(EnvE | P”) \A^{0\P')\A and I(P") = A, 

def 

where Env^; = [E]a{0). Intuitively, P is placed in context (Enve | •) \ T, where 
Enve models a single-step environment which offers the events in E until clock 
tick a occurs. The following relation, which we refer to as step correspondence, 
provides the formal foundation for relating Statecharts and SPL macro steps. 

Definition 2 (Step Correspondence). A relation TZ C SC x V is a step 
correspondence if for all (s, P) G TZ and E, AC II the following conditions hold: 

1. Vs' G SC. s^- s' implies 3P' gV. P=^ P' and {s',P') G TZ. 

2. VP' G'P. P=^P' implies 3 s' G SC. s^^s' and {s',P') G TZ. 

s is step-correspondent to P, if (s, P) G TZ for some step correspondence TZ. 
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Theorem 1 (Embedding). Every s G SC is step-correspondent to |s]. 

We close this section by returning to the behavioral relation 

Theorem 2 (Preservation). Let P,QgV such that P ^ Q, and suppose that 
P^ P' ■ Then 3Q' €V.Q Q' and P' ~ Q'. 

Now, we can state our desired result, namely that the behavioral equivalence 
bisimulation, when applied to SPL, preserves Statecharts semantics. 

Corollary 1. Let E,ACLI, s G SC, and P gV such that |s] ~ P. Then 

1. Vs' G SC. s s' implies 3P' G V . P ^ P' and |s'] ^ P' . 

2. VP' gV. P=^ P' implies 3s' G SC. s s' and |s'] ~ P'. 

6 Adaptability to Other Statecharts Variants 

For Statecharts a variety of different semantics has been introduced in the liter- 
ature [y. In this section, we show how our approach can be adapted to these 
variants and, thereby, testify to its flexibility. 

In the Statecharts variant examined in this paper, two features are left out 
which are often adopted in other variants. One feature concerns inter-level tran- 
sitions, i.e., transitions which cross the “borderlines” of Statecharts states and, 
thus, permit a style of “goto” -programming. Unfortunately, when allowing inter- 
level transitions the syntax of Statecharts terms cannot be defined composition- 
ally and, consequently, nor its semantics. The second feature left out is usually 
referred to as state reference, which permits the triggering of a transition to de- 
pend on the fact whether a certain parallel component is in a certain state. Such 
state references can be encoded in SPL’s communication scheme by introducing 
special events in„, for n G Af, which are signaled by a process if it is in state n. 

Another issue concerns the sensing of internal and external events. Usually, 
internal events are sensed within a macro step, but external events are not. 
Hence, events are instantaneous, i.e., an event exists only for the duration of the 
macro step under consideration. This is reflected in our signal operator which 
stops signaling events as soon as the next clock tick arrives. In the semantics of 
Statemate Q, an event is only sensed in the macro step following the one in which 
it was generated. This behavior can be encoded in our embedding by splitting 
every state t G T into two states that are connected via a clock transition. The 
specific sensing of events in Statemate greatly simplifies the development of a 
compositional semantics p. 

The Statecharts concept of negated events forces transitions to be triggered 
only when certain events are absent. However, when permitting negated events 
in a macro-step semantics, one has to guarantee that the effect of a transi- 
tion is not contradictory to its cause. Regarding this issue, one may distinguish 
two concepts: global consistency and local consistency. The first one prohibits a 
transition containing a negative trigger event ->e to be executed, if a micro step 
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within the same macro step produces e. In our embedding, this is enforced by 
offering ->e, whenever a transition triggers due to the absence of e. Moreover, 
->e is included in the set of events which need to be absent in all Statecharts 
transitions producing e. When leaving out these events in our embedding, 
we obtain the weaker notion of local consistency, i.e., once an event e is signaled 
in a micro-step, no following micro step of the same macro step may fire if its 
trigger contains ~^e. Local consistency implicitly holds in our embedding, since 
an event is always signaled until the next macro step begins. 

In addition to encoding priorities between transitions via negated events, one 
may introduce an implicit priority mechanism along state hierarchy, as is done, 
e.g., in Statemate ^3 but not in the Statecharts variant considered in this 
paper. More precisely, a transition leaving an or-state may be given priority over 
any transition within this state, i.e., or-states can then be viewed as pre-emptive 
interrupt operators. SPL can easily be extended to capture this behavior. 



7 Related Work 

Achieving a compositional semantics for Statecharts is known to be a difficult 
task. The problems involved were systematically analyzed and investigated by 
Huizing and Gerth in the early nineties in the more general context of real- 
time reactive systems which three criteria have found to be desirable: 

(i) responsiveness, which corresponds to the synchrony hypothesis of Statecharts, 

(ii) modularity, which refers to the aspect of compositionality, and (iii) causal- 
ity. Huizing and Gerth proved that these properties cannot be combined in a 
single-leveled semantics. In our approach the three properties hold on different 
levels: compositionality holds on the micro-step level - the level of SPL action 
transitions - whereas responsiveness and causality are guaranteed on the macro- 
step level - the level where sequences of SPL action transitions between global 
synchronizations, caused by clock ticks a, are bundled together. 

Uselton and Smolka ^3^3 and Levi 33 also focused on achieving a compo- 
sitional semantics for Statecharts by referring to process algebras. In contrast to 
our approach, Uselton and Smolka’s notion of transition system involves labels of 
the form {E, ^), where if is a set of events, and ^ is a transitive, irrefiexive order 
on E encoding causality. Unfortunately, their semantics does not correspond, as 
intended, to the semantics of Pnueli and Shalev 33’ 8'® pointed out in ^3^3- 
Levi repaired this shortcoming by modifying the domains of the arguments of ^ 
to sets of events and by allowing empty steps to be represented explicitly. 

Maggiolo-Schettini et al. considered a hierarchy of equivalences for State- 
charts and studied congruence properties with respect to Statecharts opera- 
tors 33- bor this purpose, they defined a compositional, operational macro-step 
semantics of Statecharts, which slightly differs from the one of Pnueli and Shalev, 
since it does not allow the step-construction function to fail. Their semantics is 
also expressed in terms of labeled transition systems, where labels consist of four- 
tuples which include information about causal orderings, global consistency, and 
negated events. The framework of Maggiolo-Schettini et al. serves well for the 
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purpose of studying certain algebraic properties of equivalences on Statecharts, 
such as fully-abstractness results and axiomatizations 

Another popular design language with a visual appeal like Statecharts and, 
moreover, a solid algebraic foundation is Argos However, the semantics 
of Argos - defined via SOS-rules as labeled transition systems - significantly 
differs from classical Statecharts semantics. For example, Argos is deterministic, 
abstracts from “non-causal” Statecharts by semantically identifying them with 
a failure state, and allows a single parallel component to fire more than once 
within a macro step. 

Interfacing Statemate Q to verification tools is a main objective in 
The former work formalizes Statemate semantics in Z, while the latter work 
translates a subset of Statemate to the model-checking tool Spin 



8 Conclusions and Future Work 

This paper presented a process-algebraic approach to defining a compositional 
semantics for Statecharts. Our technique translates Statecharts terms to terms 
in SPL which allows one to encode a “micro-step” semantics of Statecharts. 
The macro-step semantics may then be given in terms of a derived transition 
relation. We demonstrated the utility of our technique by formally embedding 
the Statecharts semantics of which is a slight variant of Pnueli and Shalev’s 
semantics in SPL. Our approach also allows for interfacing Statecharts to 
existing verification tools and for the possibility of lifting behavioral equivalences 
from process algebras to Statecharts. We illustrated the viability of this last 
point by showing that bisimulation equivalence, which is a congruence for SPL, 
preserves Statecharts macro-step semantics. 

Regarding future work, we plan to continue our investigation of behavioral 
equivalences for Statecharts in general, and “weak” equivalences in particular, by 
studying them for SPL. It may also be interesting to characterize the “Statecharts 
sub-algebra” of SPL. Moreover, we intend to implement SPL and our embedding 
in the Concurrency Workbench of North Carolina (CWB-NC) Q. 

We would like to thank Peter Kelb, Ingolf Kruger, Michael Mendler, and the 
anonymous referees for many valuable comments and suggestions. 
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Abstract. The increasing importance and ubiquity of distributed and mobile ob- 
ject systems makes it very desirable to develop rigorous semantic models and 
formal reasoning techniques to ensure their correctness. The concurrency model 
of rewriting logic has been extensively used by a number of authors to specify, 
execute, and validate concurrent object systems. This model is a true concurrency 
model, associating an algebra of proof terms to the rewrite theory TZ speci- 
fying the desired system. The elements of Tjf are concurrent computations de- 
scribed as proofs modulo an equational theory of proof/computation equivalence. 
This paper builds a very intuitive alternate model £tz, also of a true concurrency 
nature, but based instead on the notion of concurrent events and a causality par- 
tial order between such events. The main result of the paper is the equivalence 
of these two models expressed as an isomorphism. Both models have straight- 
forward extensions to similar models of infinite computations. The models are 
very general and can express both synchronous and asynchronous object compu- 
tations. In the asynchronous case the Baker-Hewitt event model for actors appears 
as a special case of our model. 



1 Introduction 



The increasing importance and ubiquity of distributed and mobile object systems makes 
it very desirable to develop rigorous semantic models well-suited to object systems, and 
to use logically-based techniques to reason about their correctness. In the past few years, 
a number of authors have used rewriting logic to axiomatize concurrent object 

systems and have exploited its associated model of concurrency in a variety of ways 
(see for example and other references in the 

survey paper 

A concurrent object system axiomatized by a rewrite theory TZ has an associated 
semantic model 7^ whose elements are abstract concurrent computations correspond- 
ing to equivalence classes of proofs in the logic. Therefore, a computation is possible in 
the model if and only if it is provable in the logic. The model 7^ provides an algebraic 
abstract model of “true concurrency”, in which equivalent descriptions of the same con- 
current computation are identified. The purpose of this paper is to develop a different 
semantic model for concurrent object systems S-ji based on the notion of events having 
a partial order causality relationship between them. This second model is very natural 



Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 415^3 1999. 
(c) Springer- Verlag Berlin Heidelberg 1999 




416 



Jose Meseguer and Carolyn Talcott 



and intuitive, and yields as special cases other known models such as the event diagram 
model for Actors The main result of this paper is that both models coincide, in the 
strong sense of being in fact isomorphic. This validates from an independent perspective 
the intuitive adequacy of the algebraic model proposed by rewriting logic, and provides 
a precise semantic bridge between different representations of concurrent object-based 
computations that, as we discuss further in the paper, can each be more useful in dif- 
ferent kinds of applications. In particular, this equivalence of models yields an efficient 
decision procedure for proof equivalence. 

Our model equivalence result for concurrent object systems should be placed within 
the broader context of related results for other kinds of concurrent systems showing se- 
mantic connections between the initial model of a rewrite theory TZ axiomatizing 
a concurrent system of a given kind, and well-known models of true concurrency. For 
example, Degano, Meseguer and Montanari Q showed that, for a place/transition Petri 
net axiomatized by TZ, the model T-ji is isomorphic to the commutative process model of 
Best and Devillers Q. Similarly, for TZ a rewrite theory without additional equational 
axioms, Corradini, Gadducci and Montanari Q showed that the computations in T-ji 
starting at a term t form, under natural assumptions, a prime algebraic domain. Another 
result by Laneve and Montanari | ' ' | showed that for TZ the rewrite theory of the lambda 
calculus, the traditional model of parallel lambda calculus computation coincides with 
a quotient model modulo a few natural equations E. Yet another result by Cara- 

betta, Degano and Gadducci Q shows that, for TZ the rewrite theory of CCS, a quotient 
model T-jil E under a few natural equations is equivalent to the proved transition causal 
model of Degano and Priami Q. Therefore, our result should be seen as a further piece 
of evidence — involving an important class of concurrent systems — towards the longer- 
term research project of exploring the naturalness and expressiveness of rewriting logic 
as a semantic framework for concurrency (see references in 

To better motivate the paper and make it more accessible, the rest of this intro- 
duction recapitulates in an informal style the main ideas of how rewriting logic ax- 
iomatizes concurrent object systems and yields a semantic model T-ji for a system so 
axiomatized — that for the case of object systems is further refined in this paper to the 
model 7^; we then sketch the basic ideas about the new isomorphic model based on a 
partial order of events. 

1.1 Concurrent Objects in Rewriting Logic 

We explain how concurrent object systems are axiomatized in rewriting logic, and how 
concurrent object-based computations correspond to proofs in the logic and yield an 
algebraic model of “true concurrency”. In general, a rewrite theory is a pair TZ — 
{{il, r), R), with (G, T) an equational specification with signature of operations 17 
and a set of equational axioms E ; and with R a collection of labelled rewrite rules. The 
equational specification describes the static structure of the system’s state space as an 
algebraic data type. The dynamics of the system are described by the rules in R that 
specify local concurrent transitions that can occur in the system axiomatized by TZ, and 
that can be applied modulo the equations E. 

Let us then begin explaining how the state space of a concurrent object system 
can be axiomatized as the initial algebra of an equational theory (17, E). That is, we 



A Partial Order Event Model for Concurrent Objects 417 



explain the key state-building operations in 17 and the equations F that they satisfy. The 
concurrent state of an object-oriented system, often called a configuration, has typically 
the structure of a multiset made up of objects and messages. Therefore, we can view 
configurations as built up by a binary multiset union operator which we can represent 

with empty syntax (i.e. juxtaposition) as : Conf x Conf — > Conf . (Following 

the conventions of mix-fix notation, we use _s to indicate argument positions.) The 

operator is declared to satisfy the structural laws of associativity and commutativity 

and to have identity 0. Objects and messages are singleton multiset configurations, and 
belong to subsorts Object, Msg < Conf, so that more complex configurations are 
generated out of them by multiset union. 

An object in a given state is represented as a term (O : C | oi : fi, . . . , a„ : f„), 
where O is the object’s name or identifier, C is its class, the a^’s are the names of the 
object’s attribute identifiers, and the vfis are the corresponding values. The set of all the 
attribute-value pairs of an object state is formed by repeated application of the binary 
union operator _ , _ which also obeys structural laws of associativity, commutativity, 
and identity; i.e., the order of the attribute-value pairs of an object is immaterial. This 
finishes the description of some of the sorts, operators, and equations in the theory 
(17, r) axiomatizing the states of a concurrent object system. Particular systems will 
have additional operations and equations, specifying, for example, the data operations 
on attribute values. But the top level structure of the concurrent object system is always 
given by the multiset union operator. 

The associativity and commutativity of a configuration’s multiset structure make it 
very fluid. We can think of it as “soup” in which objects and messages float, so that 
any objects and messages can at any time come together and participate in a concurrent 
transition corresponding to a communication event of some kind. In general, the rewrite 
rules in R describing the dynamics of an object-oriented system can have the form 

r{x) : Ml . . .Mn (Oi : Fi \ attsi) . . . {Om ■ Fm \ attsm) 

— > (Oil : K I ■ K I 

{Qi : Di I atts”) . . . {Qp : Dp \ atts”) 

if C 

where r is the label, a; is a list of the variables occurring in the rule, the M s are mes- 
sage expressions, zi , . . . ,ik are different numbers among the original 1, . . . , m, and C 
is the rule’s condition. That is, a number of objects and messages can come together 
and participate in a transition in which some new objects may be created, others may 
be destroyed, and others can change their state, and where some new messages may 
be created. If two or more objects appear in the left-hand side, we call the rule syn- 
chronous, because it forces those objects to jointly participate in the transition. If there 
is only one object in the left-hand side, we call the x\x\s asynchronous. For example, we 
can consider three classes of objects. Buffer, Sender, and Receiver. The buffer 
stores a list of numbers in its q attribute. Lists of numbers are built using an associative 
list concatenation operator, _ . _ with identity nil, and numbers are regarded as lists of 
length one. The name of the object reading from the buffer is stored in its reader at- 
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tribute. The sender and receiver objects store a number in a cel 1 attribute that can also 
be empty (mt) and have also a counter (cnt) attribute. The sender stores also the name 
of the receiver in an additional attribute. The counter attribute is used to ensure that 
messages are received hy the receiver in the same order as they are sent hy the sender 
even though communication between the two parties is asynchronous. Each time the 
sender gets a new message from the buffer, it increments its counter. It uses the current 
value of the counter to tag the message sent to the receiver. The receiver only accepts a 
message whose tag is its current counter. It then increments its counter indicating that 
it is ready for the next message. Three typical rewrite rules for objects in these classes 
(where E and N range over natural numbers, L over lists of numbers, L . E is a list with 
last element E, and (to Z : E from (Y,N)) is a message) are 

read (X, Y, L, E, N) : < X ; Buffer | q; L . E, reader; Y > 

< Y ; Sender | cell: mt, cnt; N > 

=> < X ; Buffer I q; L, reader: Y > 

< Y ; Sender | cell: E, cnt: N + 1 > 

send (Y, Z, E, N) ; < Y : Sender | cell: E, cnt: N, receiver: Z > 

=> < Y ; Sender | cell; mt, cnt; N > (to Z ; E from (Y,N)) 

receive (Z , Y, E, N) ; < Z ; Receiver | cell; mt, cnt; N > 

(to Z ; E from (Y,N)) 

=> < Z ; Receiver | cell: E, cnt: N + 1 > 

where the read rule is synchronous and the send and receive rules asynchronous. 
These rules are applied modulo the associativity and commutativity of the multiset 
union operator, and therefore allow both object synchronization and message sending 
and receiving events anywhere in the configuration, regardless of the position of the 
objects and messages. We can then consider the rewrite theory TZ = ((17, F), R) ax- 
iomatizing the object system with these three classes and with R the three rules above 
(and perhaps other rules, such as one for the receiver to write its contents into another 
buffer object, that we omit). 

Rewriting logic then gives an inference system to deduce, for a system axioma- 
tized by a rewrite theory TZ, which are all the finitary concurrent computations possible 
in such a system. Such computations are identified with proofs of the general form 
a : t — > t' in the logic. In what follows, to simplify the exposition, we specialize the 
general inference system to the case of object systems. Idle, or “identity” computations, 
in which nothing changes in a state t, are denoted by t itself, and elementary rewrites 
corresponding to the application of a single rule are denoted by the appropriate substi- 
tution instance of the rule label; for example, send (b, c , 3 , 1) is the rewrite in which 
sender object b sends to c the value 3 with counter 1. More complex computations are 
then built up by parallel and sequential composition of elementary proofs, according 
to the following inference system, that specifies both the inferences and the new proof 
terms associated to proofs a and (3. 

a : t — > f (3 \ u — 
a (3 \t u — > t' u' 
ex ■ t\ > ^2 P ■ ^2 
a] (3 : t\ — > ta 



1. Congruence: 

2. Transitivity: 



u 
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For example, a buffer object a, and sender and receiver objects b and c can be involved 
in a concurrent computation in which b reads a value from a and sends it to c, and then, 
simultaneously, c receives it and b reads a second value from a. Suppose that we begin 
with the following initial configuration Cq 

< a ; Buffer | q: 7 . 9, reader: b > 

< c : Receiver | cell: mt, cnt : 1 > 

< b : Sender | cell: mt , cnt: 0, receiver : c > 

Then, the above concurrent computation can be described by the proof term a, built up 
by repeated application of congruence and transitivity 

(read (a , b , 7 , 9 , 0 ) < c : Receiver | cell: mt, cnt: 1 >); 

( send (b, c , 9 , 1) < c : Receiver | cell: mt, cnt: 1 > 

< a : Buffer | q: 7, reader: b >) ; 

( read (a, b, nil, 7, 1) receive (c , b, 9 , 1) ) 

and has as its final configuration C\ 

< a : Buffer | q: nil, reader: b > 

< b : Sender | cell: 7, cnt: 2, receiver : c > 

< c : Receiver | cell: 9, cnt: 2 > 

This is fine, but when do two different proofs describe the same concurrent com- 
putation? This typical “true concurrency” question is posed by approaches in which a 
more abstract description of concurrent computations is sought, and models character- 
izing such computations are built. For example, in our computation a we could replace 
the last step, namely (read (a, b, nil ,7,1) receive (c , b, 9 , 1) ) , by either of two 
different “interleaving” proof terms equivalent to it: one in which the receive hap- 
pens after the read, and another in which they happen in opposite order. 

Rewriting logic is in this sense a “true concurrency” approach. The abstract model 
giving a semantics to the concurrent computations of a system axiomatized by a rewrite 
theory TZ = ((17, F), R) is denoted Fji and is a quotient of the algebra of proof terms 
modulo some simple equations that express basic equivalences between proofs. TIk de- 
tails of this algebraic construction for an arbitrary rewrite theory can be found in Q|. In 
this paper we give a detailed construction specializing to the case of object-oriented 
systems and further refining the Tjj model. We can give the flavor of these proof equiv- 
alences by pointing out that, firstly, all the equations F rnTZ are also applied to proof 
terms (in particular, parallel composition of proofs in object systems is associative and 
commutative, because multiset union enjoys those axioms) and in addition parallel and 
sequential composition obey, among others, the following three equations that are suf- 
ficient for proving that our proof term a above is equivalent to the two proof terms in 
which the last parallel step has been replaced by interleavings. 

1. Associativity, (a; l3);y = a; {j3] 7 ). 

2. Identities. For each a : t — > t' , a;t' = a and t;a = a. 

3. Functoriality. (ai; / 3 i)(a 2 ; /? 2 ) = (ai 0 : 2 ); (/?i ^ 2 )- 

By identifying proof terms using equations such as these, the model Fji charac- 
terizes abstract concurrent computations in an object-oriented system as equivalence 
classes [a] of proof terms a. 
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1.2 A Partial Order Event Model 



The model 7^ is algebraic and enjoys many of the good properties of algebraic con- 
structions, including parallel and sequential composition operations and being initial in 
a much broader category of models By contrast, other approaches to true concur- 
rency build partial-order or Petri net-like models that are more topological in nature, 
e.g. They complement the description given by an algebraic construction 

by offering a more intuitive description of the abstract computations. The ideal result 
one would like to have is one of complete equivalence between two true concurrency 
models: one based on an algebraic construction, and another based on a topological 
construction. In this way, we can freely move back and forth between equivalent de- 
scriptions that may each have strong advantages for different purposes. For example, 
we can visualize a computation using its topological description and can do algebraic 
manipulations with a corresponding proof term. In addition, in the process of proving 
such an equivalence, the topological model typically becomes endowed with an impor- 
tant algebraic structure that can be very valuable. 



For the case of rewrite theories TZ axiomatizing Place/Transition Petri nets, the 
equivalence of with a well-known combinatorial model of “true concurrency” for 
nets — namely the commutative processes of Best and Devillers Q] — has been shown 
in I . The main result of this paper is a similar equivalence of models for concur- 
rent object systems, namely, an equivalence between an algebraic model 7^ of proof 
terms modulo a few natural equations — that specializes to object systems the general 
model T-ji — and a very natural and intuitive partial order of events model £-ji that is 
fully general, in the sense of allowing both synchronous and asynchronous computa- 
tions. Furthermore, the models 7^ and E-ji have a straightforward extension to models 
of infinite computations and that are again isomorphic. In fact, for rewrite the- 
ories TZ whose rules are all asynchronous and obey the actor locality laws (cf. ( ■>' | ), 
£^ specializes to the well-known partial order of events model of Hewitt and Baker for 



Actor systems ' '0 



Mathematically, we prove our desired equivalence of models as an isomorphism 
— of the corresponding algebraic structures. We can give the flavor of £yi by 
showing in Figurejthe partial order of events corresponding in £yi to the equivalence 
class [a] of proof terms for the proof term a in our example. In 7^ the equivalence 
class of proofs [a] labels an arrow between the beginning and ending configurations 
Co and Ci. In £ti the same arrow is instead labeled by the corresponding partial order 
of events. Note that the events are the elementary rewrites corresponding to applying 
each one of the rules, and the order between them is the causality relation between such 
events. Thus, the first send and the receive events are causally connected, but the 
second read and the receive are unrelated in the causal partial order. 

The rest of the paper is organized as follows, ^introduces object theories, a general 
class of rewrite theories capturing the essential aspects of concurrent object systems. Q 
gives a detailed construction of the proof term model 7j| for an object rewrite theory 
TZ, and studies some of its key properties, flthen gives our main contribution, namely 
the construction of the partial order of events model £ti for an object rewrite theory 
TZ and the isomorphism 7^ ~ £n. ^extends this isomorphism to an isomorphism 
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Fig. 1. Equivalence between proof and event partial order descriptions of a concurrent 
computation. 



of corresponding models of infinite computations . We finish with some 

concluding remarks. 



2 Object Theories 

In this section we describe the class of rewrite theories, called object theories, for which 
the event model is defined. We consider rewrite theories whose underlying equational 
logic is membership equational logic ^3. A membership equational logic specification 
has the form {C,r) where 17 contains a family K of kinds, a AT-kinded family of 
operators of the form / : fci . . . — > fcn+i with ki G K, and for each k G K a. 

set of sorts Sk ; and where A is a set of Horn clauses whose atomic formulas are either 
equations t = f between terms of kind k, or membership assertions t : s between a 
term of kind k and a sort s G Sk- Intuitively, terms with a kind but without a sort are 
“error” or “undefined” expressions. Subsort relations s < s', and operator declarations 
/ : Si . . . s„ — !• s„+i at the level of sorts can be seen as syntactic sugar for their 
corresponding Horn clauses. 

For a rewrite theory TZ = ((17, F), R) we first describe the constraints on the equa- 
tional part (17, A), then we describe the constraints on the rules R. Object theories 
generalize the typical rewrite theories for object-oriented systems. It may be that not all 
multiset unions of configurations are meaningful. For example consider object systems 
in which legal configurations should not have different objects with the same identity. 
To account for this possibility, we postulate a subsort Coh < Conf of “coherent” 
configurations characterizing the meaningful system states. The introduction of object 
identities is postponed until §Q 
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2.1 Equational Part 

(17, r) is a theory in membership equational logic such that there is a distinguished sort 
Conf of configurations with 

(i) a binary operation on Conf that is associative and commutative with neutral 

element 0, and such that there is no other operation in 17 that can take elements of 
sort Conf as arguments. 

(ii) a subsort Coh < Conf called the coherent configurations satisfying the member- 
ship constraints 0 : Coh and U V : Coh U : Coh A V : Coh. 

(iii) for any set X of variables, the elements of sort Conf in the free algebra TQ^r{X) 
form a free multiset on the variables and “alien subterms” (that is, subterms whose 

top symbol is different from or 0) of sort Conf, under the operation and 

neutral element 0. 

Remark. Since (in membership equational logic) for each sort S and terms f, t' , when- 
ever r \- t ■. S and r \- t = t' , then 7” h : S', we have, thanks to (i) and (ii), that 
for each U ,V,W : Conf ((7 V) W \ Coh iff U {V W) : Coh and then U, 
V, W, U V, V W, and U W, all have sort Coh. Furthermore, thanks to (iii), if 
ri- U V : Coh A U W : Coh A U V ^ U W, then FA V ^ W. 



2.2 Rules Part 

For a rewr ite th eory TZ = ((17, F), R) whose equational part (17, F) satisfies the con- 
ditions of further require that rules only rewrite non-empty configurations and 

that ground coherent configurations are rewritten to coherent configurations. In partic- 
ular we require the following. 

(i) All rules have the form r : Z — > Z' If if , where ijj is a conjunction of equations, 

Z, Z' : Conf, Z and Z ^ Z' contain no variables of sort Conf. 

(ii) For a ground term W such that F A W \ Coh, if 6* is a ground substitution and 
r : Z — > Z' if '0 is a rule in R such that 0(0) holds, that is 7” h 0(0), and 

W =U e{Z) U 9{Z'), 

then F A U 9{Z') : Coh. That is, the rewrite rules in R always rewrite ground 
terms in Coh to other ground terms in Coh. 



The above requirements for the equational and rules parts of an object theory are 
for example satisfied by the buffer, sender, and receiver object theory of Section^ by 
taking as sort Coh of coherent configurations multisets of objects and messages that 
are actually sets and that satisfy natural object theory requirements such as uniqueness 
of object identifiers, as well as specific invariants such as messages originating from a 
given sender having a counter strictly smaller than that of the sender, and so on. 
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3 The Proof Term Model 

3.1 Algebra of Proof Terms 

To each object theory TZ we associate an algebra of proof terms 7^. This proof term 
algebra is specified in partial membership equational logic Partial membership 
equational logic is the variant of membership equational logic in which, instead of 
kinds, we have a poset of sorts {S, <) where each connected component C has a top el- 
ement T c, operations / : Tc^ . . . Tc„ — > T c„+i are interpreted as partial functions, 
and Horn clauses have a partial interpretation. 

The proof term algebra is given by means of the theory V-n = (17', T') where 
(noting that a specification in total membership algebra can always be regarded as a 
partial membership algebra specification) (17, F) C (17', F') and the additional sorts 
and operations of 17' are as follows. 

(1) There is a sort Prf of proofs with Coh < Prf such that 

• total operations source, target : Prf ^ Coh such that source{U) = U and 
target{U) = U for U : Coh; given a : Prf with source{a) = U and 
target (a) = H we use the notation 17 H to simultaneously state these 
three facts, 

• there is a partial operation _ : Prf x Prf ^ Prf, 

• the partial operation on Coh is extended to a partial operation : 

Prf X Prf ^ Prf. 

(2) For each rule r : Z — *■ Z' if '0 in i? with variables xi, . . . ,Xn of respective 
sorts Si , . . . , s„, there is a partial operation r : si , . . . , s„ ^ Prf such that for any 
substitution 0, if 6{Z) : Coh and 0(0) holds, then 

r(0) : Prf, source{r{9)) = 9{Z), target{r{9)) — 9{Z'), 

that is, 9{Z) 0^^ S{Z'). We assume that the variables x \, ... , a;„ of rule r are 
ordered; r{9) then abbreviates the term 9{r{x \, . . . , Xn)). 

(3) If U, U', V, V' : Coh and a,/3 : Prf such that U ^ U', V V', and 
U V : Coh, then U V U' V'. 

(4) If U ^ V and V W, then U W. 

The additional equations of F' are the following. 

A. Category 

(id) Z — > Z' => Z’, a = cr, Z' = a 

(assoc(_;J) Zo ^ Zi A Zi ^ Z2 A Z2 ^ Z3 
(oo; ai); o!2 = Qo; (qi; 02) 
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B. Partial Monoidal Structure 



(fund) 

(id-0) 

(comm( )) 

(assoc(_ _)) 



Z 2 /\ Zo^ Z[ ^ Z 2 h ZoZq-. Coh 
(ao; Qi) (qq; Q-'i) = (qo Qq); (ai a'l) 

0 Q = Q for a : Prf 

/y {^Zj — ^ Z'j) A {Zq Z\) : Coh ^ (qq ol\) = (ai ao) 

J<2 

yAy ^ A (^0 Z\ Z 2 ) ■ Coh => (ao ai) a 2 = ao (ai a 2 ) 
J<3 



3.2 Basic Properties 

A proof term is in sequential form if it is a sequence of basic rewrites, Ui ri{6i). 
Lemma Jsays that any proof term is equivalent to one in sequential form. 

Lemma 1 (Sequentialization). If a is a ground l7'-term such that Z Z' , then 
we can find n S Nat and ai,ri{6i) : Prf, U : Coh for 1 < z < n such that 
ai = Ui ri{9i) and P' h a = ai; . . . ; a„. Furthermore, the multiset of elementary 
rewrites ri{9i) is independent of the particular sequentialization. 

LemmaHsays that in passing from (17, U) to (17', U'), no new coherent configura- 
tions are introduced (no junk) and no U -equivalence classes of coherent conhgurations 
are collapsed by U' (no confusion). 

Lemma 2 (Protection). Let TZ = ((17, U), R) be an object theory with Coh its sort 
of coherent conhgurations, and let Vn = (17', U') be its associated proof term theory. 
Then for each l7'-ground term U such that P' h (7 : Coh there exists an 17-ground 
term V such that U \- V : Coh and U' \- U = V. Also, for U, V 17-ground terms 
such that r \- U , V : Coh, we have U' \- U = V ^ U P U = V . 

Definition 1 (The Proof Category 7^). If 7?. = ((17, L), i?) is an object theory with 
coherent configuration sort Coh and proof term theory Vn as given in ^^with proof 
sort Prf, then is the partial monoidal category with set of objects |7^| the ground 
17-terms of sort Coh modulo the equations U, or equivalently, by lemmaj l7'-ground 
terms of sort Coh modulo the equations of U' , and arrows the ground l7'-terms of sort 
Prf modulo the equations U' on proofs. 

We call partial monoidal because the operation satisfies the typical equations 

of a (symmetric) monoidal product but is only a partial operation. In other words, the 
specification V-r, has an initial partial algebra |Q which has a partial monoidal 
category structure for terms of sort Prf. The category 7^ is obtained by restricting 
T-p^ to just those partial monoidal category operations and forgetting the additional 
sorts and algebraic structure. Alternatively, we can regard 7^ as a natural refinement 
and specialization to object theories and coherent configurations of the initial model Tp 
associated to a rewrite theory TZ . 
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4 Associating Event Partial Orders to Proofs 

Assume TZ = ((17, F)^ R) is an object theory as defined in (Q and 7^ the associated 
proof category as given in We refine the notion of object theory to objects with iden- 
tities by postulating two more requirements. We want to treat occurrences of rewrite rule 
applications in a proof as events, each of which can he uniquely identified (condition 
1). Furthermore in order to be able to identify causal connections between events due 
for example to the asynchronous sending and receiving of messages, not only objects, 
but also messages need to have unique identity (condition 2). 

Definition 2 (Object Theory with Identities). 

1. Assume further that all occurrences of a rule application in a proof are necessarily 

distinct. Using Lemma Jwe can express this as follows. Let be a proof, and 

let 

Zo > . . . > z„ 

be any sequentialization of a. Then for 0 < i, j < n, we have ^ ri{9i) ^ rj{9j) 
whenever i ^ j. Note that this condition can easily be attained by suitable annotation 
of objects and messages. Because of this property, we can regard each rewrite rule 
application ri{9i) as a distinct event in the overall computation formalized as a proof. 

2. Assume given a set Id of identities, and a function ids : |7^| — + P;^(Id) such that 

(1) Z : Coh implies ids{Z) =0 iff Z = 

(2) Z Z' : Coh implies ids{Z) fl ids{Z') = 0 and ids{Z Z') = ids{Z) U ids{Z'). 

Definition 3 (Event ids, ids{r{9))). For basic rewrites r{9) define 

ids{r{9)) = ids{source{r{9))) U ids{target{r{9))) . 

Now we associate to each ground term a of Prf a structure |a] = (£a, <a) where £a 
is the set of events (the rewrite rule applications) of a and <„ is a partial order on these 
events. The structure |a] is defined by induction on the generation of a as follows. 

Definition 4 (|a]). 

(id) IU1 = (0,0) 

(rule) |r(6»)] = ({r(6<)},0) 

(par) {a /?] = |a] |/3] = |a] U |/3] , where (£„, <a)^{£p, <p) = {£a^£p, <a U KpM 
(seq) |a; f3j = |a]; |^] = (£„ U where 

<a;l3= TC(<q U </3 U {cq < 6i | Cq G fa A Cl G £/? A zds (Cq) fl ids (Ci ) ^ 0}) 
and TC(_) is the transitive closure operation. 

Note that the condition ids{eo) fl ids{ei) ^ 0 in the (seq) case above is precisely the 
point where causal connections between events appears, cq < ei just if cq precedes ei 
in some sequentialization and if they involve a common identity (object or message). 



* Note that, by condition (1) and LemmaJ £a and Sg are disjoint, and hence the union as 
defined is a partial order. 
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Definition 5 (The Event Category E-ji)- If 7^ = ((f?, C), R) is an object theory with 
identities with coherent configuration sort Coh and proof term theory Vu as given in 
^^with proof sort Prf, then E-ji is the partial monoidal category with set of objects 
\8-ji I the ground 17-terms of sort Coh modulo the equations F, and arrows |a] : U — > 
C, for a a ground term of sort Prf, such that U = source{a), and V = target{a). The 
sequential composition and monoidal producl operations on arrows are the operations 
_ and given in definitionjabove. 

The main result of this section is the isomorphism between the proof category 7^ 
and the category S-ji of event partial orders associated to an object theory TZ. 

Theorem 1 (Proof-Event Isomorphism). Let TZ = ((17, F), R) be an object theory 
with identities. Then, the partial monoidal categories 7^ and E-ji are isomorphic. 

Proof : The isomorphism is the identity on objects and associates to each proof equiv- 

alence class [a] the event partial order |a] . That this is indeed an isomorphism follows 
from lemmasjandjbelow. □ 

Before proving lemmasHandJwe establish some basic properties of events and 
the causal ordering. Lemmajgives a simple characterization of the event partial order 
associated to a proof in sequential form. 

Lemma 3. If a = Ui ri(6»i ); . . . ; Uk rk{9k), then |a] = ({ri(6»i), . . . ,rk{9k)}, <) 
where<isthetransitiveclosureof{(ri(0i),ry(0y)) | i < j, ids{ri{6i))r\ids{rj{6j)) ^ 
0 }- 

LemmaHshows that adjacent events may be permuted if not causally related, that 
is, if they act on different parts of the configuration. 

Lemma 4. If Uq ro(ffo)', V\ ri(0i) : Prf such that ids(ro(0o))nids(ri(0i)) = 0 (i.e. 
ri(6*i) is minimal in |(7o ro(0o); U\ ri(0i)]) then there are Vq, V\ : Coh such that 
Uo r-o(6»o); Ui ri(6*i) = Vi ri(6*i); Vq ro{9o)- 

LemmaJ shows that sequentializations of a proof correspond to linearizations of 
the associated event partial order. 

Lemma 5. If a : Prf, then every linearization of |a] corresponds to a sequentializa- 
tion of a. 

Proof : By induction on the generation of a using LemmaJ □ 

Lemma 6 (Proof-Event.l). F' \- a = a' , then |a] = |a']. 

Proof : By induction on the proof of equality from the equational rules of Q The 

logical rules are easy to check and it remains to check each of the equational axioms. 
The details are omitted here. □ 

Lemma? (Proof-Event.2). If |a] = |a'] and source{a) = source(a'), then F' h 



a = a . 
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5 Infinite Computations and Event Models 

We extend the proof and event partial order models of object theories to infinite com- 
putations as follows. 

Let 7^ be an object rewrite theory with associated proof term theory V-r.- An infinite 
proof (or computation) tt is simply an infinite sequence | i G Nat} of ground 
proof terms ai : Prf such that target{ai) = source{ai+i) for i C Nat. We call these 
infinite proofs proof paths or just paths. A path tt is in sequential form if each step 7r(i) 
contains at most one event (its sequentialization has length 0 or 1). 

We denote by Prf°° the set of proof paths. The initial segment at z of a path tt, 
written 7r}j, is the sequential composition of the path elements 7 t(j) for j < i. This is 
defined by induction on i as follows: 

Trio = 7 t(0) 

nli+i = 7rii;7r(z+ 1) 

We define prefix orderings _ ^ _ on proof terms and on event partial orders as 
follows. 

Definition 6. The prefix ordering on proof terms 

a < (3 i3a' : Prf)(T' h a; a' = (3). 

Note that an alternative and equivalent representation of inhnite computations is as an 
increasing inhnite sequence of hnite computations using the ^ ordering. 

The corresponding prehx ordering on event partial orders is the initial segment re- 
lation given by 

(£',<') 

SC S' A (Ve, e' GS){e<e'AAe<'e') A (Ve GS,e' G S'){e' <'e^ e' gS). 

Lemma 8. For U V and U W, we have a < (3 iff |a] ^ |/3]. 

Two paths TT and tt' are equivalent, written tt = tt', iff for each initial segment of tt 
there is an initial segment of tt' that extends it, and conversely. 

TT C tt' (Vz e Nat)(3j G Nat)(7r}i A n' Ij), 

TT = tt' TT C tt' A tt' C TT. 

We dehne 7^ to be the quotient of Prf °° under this equivalence relation. 

The following lemma shows that, modulo the path equivalence relation, we can 
restrict attention to paths in sequential form. 

Lemma 9. For any tt G Prf°° we can hnd tt' G Prf°° such that tt' is in sequential 
form and tt = tt' . 
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The mapping from proofs to event partial orders extends to paths as follows. To 
assure the desired isomorphism, we associate with each path a pair consisting of the 
initial configuration of the path and the associated event partial order. For tt G Prf°°, 

|7t] = (source(7r(0)), [J |7rii]) 

i^Nat 



that is, 

H = ([/,(£,,<,)) 

where U = source{n{0)) = UiGNat = UiGNat and = 

UiGNat - Thus, e e' just if e, e' G £{ for some i G Nat and e <^^1^ e'. 
Note that, by Lemma^ is indeed a partial order. 

We define £^ to be the image of 7^ under this mapping. We now extend the 
isomorphism = £ti to a similar result for infinite computation paths and infinite 
partial orders. 

Theorem 2. For any tt, tt' : Prf“, tt = tt' [tt] = [tt']. 



6 Concluding Remarks 



This paper has shown the equivalence between the algebraic proof term model for ob- 
ject rewrite theories, and a natural partial order of events model for such theories. This 
equivalence takes the form of an effective isomorphism between the two models that can 
be used in practice in a number of ways. For example, proof terms describing concurrent 
computations that can be easily generated during an execution of an object rewrite the- 
ory can now be visualized by their corresponding partial order of events. Furthermore, 
proof equivalence can be decided in 0{'n? x m) time by comparing the associated event 
partial orders, where n is the number of events, and m the size of the biggest event as a 
term. 

In a similar way, the equivalence between proof and partial order descriptions can 
be used to check the consistency of object-oriented design descriptions written in dif- 
ferent diagrammatic notations. Work of Knapp and Wirsing has shown how object 
theories can be associated to UML-like notations. It now becomes possible to check 
that a given sequence diagram — that is essentially a partial order of events descrip- 
tion — for a system is consistent with such an object theory, by checking whether the 
corresponding proof term is a valid proof in the logic. 

Using techniques similar to those used in Q, our partial order of events model could 
be cast in an event structure formulation by viewing the computations starting from an 
object-oriented configuration C as forming a prime algebraic domain under the order 
a < /3 iff there is a 7 such that P = a; Due to space limitations, the details will 
appear in a full version of the paper. 

Our event model also has interesting connections with other formalisms that should 
be further explor ed. F or example, the distributed temporal logic of objects recently pro- 
posed by linker is explicitly based on our model, and the temporal logic proposed 
by Katz [ '^ | assumes a partial order true concurrency model closely related to ours. The 
axiomatization of the actor model in temporal logic of Duarte is being extended 
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to also axiomatize actor event diagrams. Similarly, in the area of model checking there 
has been growing interest in partial order descriptions that can reduce the search space 
(see for example 
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Abstract. The paper presents a partial order reduction method applica- 
ble to networks of timed automata. The advantage of the method is that 
it reduces both the number of explored control states and the number 
of generated time zones. The approach is based on a local-time seman- 
tics for networks of timed automata defined by Bengtsson et al. [1998], 
and used originally for local reachability analysis. In this semantics, each 
component automaton executes asynchronously, in its own local time 
scale, which is tracked by an auxiliary reference clock. On communica- 
tion transitions, the automata synchronize their time scales. We show 
how this model can be used to perform model checking for an exten- 
sion of linear temporal logic, which can express timing relations between 
events. We also show how for a class of timed automata, the local-time 
model can be implemented using difference bound matrices without any 
space penalty, despite the need to represent local time. Furthermore, we 
analyze the dependence relation between transitions in the new model 
and give practical conditions for selecting a reduced set of transitions. 



1 Introduction 

Model checking | has emerged as a very successful automatic verification tech- 
nique for finite-state systems. However, its application is still limited by the state 
space explosion problem. The number of possible states in a system grows ex- 
ponentially with the number of component parts, quickly exceeding the current 
capabilities of verification tools. For timed systems, the complexity in the control 
space is increased by the timing information that needs to be maintained, since 
each untimed state can be reached at many different time instances. 

Partial order reduction is a well-established method to reduce the 

complexity of state space exploration in asynchronous systems. It explores a 
restricted number of interleavings for independent concurrent transitions, while 
preserving the verified property in the reduced model. However, in timed systems 
the implicit synchronization among transitions, caused by the passage of time, 
makes the application of this technique problematic. This paper shows how to 
perform partial order reduction for continuous-time systems modeled as timed 

* This research was sponsored in part by the Semiconductor Research Corporation 
(SRC), the National Science Foundation (NSF), and the Defense Advanced Research 
Projects Agency (DARPA). 
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automata, while preserving properties specified in an extension of linear-time 
temporal logic augmented with explicit time constraints. 

2 Timed Automata 
2.1 Definition 

Timed automata ^ are transition systems extended with real-valued clocks 
which advance at the same rate and can be reset on executing a transition. Both 
states and transitions are associated with temporal constraints on the clocks. 

Definition 1. A clock is a variable over the set IR’*’ of nonnegative reals. A 
clock valuation for a set of clocks C = {xi, • • • , a;„} is a function v : C ^ IR'*'. 

Definition 2. An atomic clock constraint is an inequality of the form x ~< c, 
c X, or X — y ^ c, where x, y are clocks, c ^ 7A is an integer and {<, <}. 
A clock constraint is a conjunction of atomic clock constraints or the value true. 
The set of clock constraints over a set of clocks C is denoted by B{C). 

Definition 3. A timed automaton is a tuple A = {S, , C, E, I, p), where 

• S is a finite set of nodes (control states); C S is the set of initial nodes 

• C is a finite set of real-valued non-negative clocks 

• E (G S X B{C) x2^ X S is a finite set of edges. An edge e = (s, ij), R, s') has an 
enabling condition and a set R of clocks that are reset on traversing the edge. 

• I : S B{C) defines an invariant condition associated with each node 

• /r : S' — > 2^ labels each node with atomic propositions from a set P 

A satisfied enabling condition does not force the execution of a transition. An 
automaton can remain at the same node as long as the node invariant is satisfied. 
We define a network of timed automata using a general parallel composition: 

Definition 4. Consider n timed automata Ai = {Si, S') , Ci, Ei, R, pi), and a 
synchronization function f : UtAE. U {e}) — > {0,1} (where e is a symbol 
denoting a null edge). The network of timed automata Ai || A 2 || . . . || A„ is a 
timed automaton A = (S, S°, C, E, I, p), where: 

• S = Si X S 2 X . . . X S„ and S° = S° X S° X . . . X S° 

• C = Cl U C 2 U . . . U C„ ( assuming Ci n Cj = 0, for i ^ j) 

• E contains a family of edges (a transition) for each tuple with f{ei, ■ ■ ■ , €„) = 1. 
For transition a, let Ci = {si, ifi, Ri, s') ifci e and active{a) = {i \ Ci ^ e} . The 
edges of a have endpoints with Si and s'i given by Ci for i G active{a), Sj = s' G Sj 
arbitrary for j ^ active{a), = Aigact»e(a) Ai, and R = UiGact»e(a) ^i. 

• I{s) = AAl Ii{Si) 

• p(s) = Ur=i h-(si) (assuming pairwise disjoint sets of atomic propositions Pi) 

A transition corresponds to the synchronous traversal of edges in several 
component automata. The synchronization function determines which automata 
execute (the active set of the transition) and which ones remain at their local 
state. This allows the modeling of many common synchronization paradigms, 
including pairwise communication. A transition with more than one automaton 
in its active set is called a synchronization transition, otherwise it is called local. 
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2.2 Semantics 

Given a clock valuation v and d G IR'*", v+d is the valuation given by (v+d)(x) = 
v(x) + d, Vx G C. For R Q C, v[R i— > 0] is the clock valuation that is zero for 
clocks in R and agrees with v for all other clocks. The truth value of the clock 
constraint ijj G B{C) for a clock valuation v is denoted by 

Definition 5. A model of a timed automaton is a state-transition graph S(A) = 
{S, ^), where 

• U = {(s, t>) I /(s)(t;)} is the set of timed states satisfying the node invariant 

• = {(s°, Oc) I G is the set of initial states, with 0c(a:) = 0, Vx G C 

• is the transition relation defined as union of delay and action transitions: 

- (s, v) 'if {s,v d) if d G IR'*', and for all 0 < d' < d, I{s){v + d') holds 

- {s,v) (s',v[Ri—f 0]) fora G T (the set of transitions of A) if there exists an 

edge e = (s, ijj, R, s') G a, such that if{v) is true and I{s'){v[R 0]) holds 

A delay transition models the elapse of time in the same control state, 
while maintaining the invariant. An action transition can be executed (instan- 
taneously) if the clock valuation satisfies the enabling condition. Clocks in the 
set R are reset, the other clocks maintain their value. 

We assume that node invariants contain only constraints of the form Xi -< c, 
because the constraints Xi — Xj A c or c A Xi are not falsified by time passage, 
and can be incorporated into the enabling condition of incoming edges. Also, 
since clock constraints are convex, invariants must only be checked in the final 
state of a delay transition: (s, v) 'i {s,v d) if d G IRf*' and I{s){v d) holds. 

Definition 6. An execution trace of a timed automaton is a finite or infinite 
sequence a = (s°, Oc) ^ (s^, u^) . . . ^ (s^, v^) . . . starting from a state s° G S'^. 

We denote by a{k) = (s^,u^) the state on the trace cr, by Cfc the finite 
prefix of a ending at (s^, and by cr^ the suffix of a starting at the same state. 

2.3 The Model Checking Problem 

Several model checkers for timed automata exist. The Kronos tool is a model 
checker for TCTL and timed /i-calculus B, and Uppaal verifies properties 
in a timed modal logic. However, partial order approaches have been so far re- 
stricted to less expressive properties: Pagani ^3^3 performs deadlock detection, 
whereas Bengtsson et al. Q check local reachability within one process. 

We use an extension of LTL inspired from the timed temporal logic for nets 
(TNL) of which has been used to verify time Petri nets. By allowing con- 
straints on two clock differences, the logic permits reasoning about the time 
separation of two events, since the difference between two clocks corresponds to 
the difference between the execution times of the transitions that reset them. 
The formulas of our logic, called LTL^, are defined by the grammar: 
if ::= true \ p \ x — y ^ c \ \ ipi A ip 2 \ ipi U <p 2 

where p G P is an atomic proposition, x,y G C are clocks, c G Z and AG {<,<}. 
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Definition 7. Consider an infinite execution trace a = (s^,v^) —>■ (s^,v^) — > 
. . . ^ (s^, v^) ^ . The semantics of an LTL/^ formula is defined as follows: 

• (s,v) \=p iffpG p{s) 

• (s, "y) \= x-y ^ciff v{x) - v{y) -< c. 

• a \= Lpa iff Pa is an atomic formula and (s^, v^) ^ ipa 

• (J \= iff a \= p does not hold 

• a \= Pi f\ p2 iff \= Pi and a \= p2 

• a \= piU p2 iff^k >0 such that cr^ ^ p2 and cr^ ^ pi for all 0 < j < k 

• S (A) \= p iff a \= p for any infinite execution trace a of S (A) . 

Since control state and clock differences are preserved by time passage, all 
intermediate states traversed by a delay transition have the same truth value for 
any atomic subformulas in LTL/\. Thus, the given semantics based on transition 
endpoints corresponds to the intuitive meaning of continuous execution. 



3 The Model Checking Approach 

3.1 Effect of Transition Interleavings 

The traditional reachability analysis algorithm for networks of timed automata 
explores all possible transition interleavings among the individual components. 
Partial order methods choose a representative from each set of equivalent inter- 
leavings, exploring only a reduced portion of the state space. However, in our 
model of time, clocks advance simultaneously in all automata, and different in- 
terleavings may produce different assignments to clock values. The independence 
of transitions in the underlying untimed system may not be preserved. 

Consider the system of two automata in Fig^and its exploration using timed 
zones From the initial state ((si, S2), x = y), transition a leads to the state 
((si,S2),a; < y) (since clock x is reset). Next, on executing b, clock y is reset, 
leading to state ((s(,s^,a; > y). If b is executed before a, the system reaches 
first the state ((si, s^, a; > y), and then the state ((s(, S2), a; < y). 




Fig. 1. Effect of transition interleavings 

The two interleavings lead to the same control state, but to distinct clock 
zones and thus distinct states in the zone automaton. Hence, the transitions are 
not independent and usual partial order reduction techniques cannot be applied. 

For a property insensitive to the ordering of x and y, both interleavings 
are still equivalent, leading to a timed state in the union of the two zones, 
((s'l, s'2), X > y \/ X < y) = ((s(, s^, true). Our goal is a partial order reduction 
method that produces a zone containing the timed states reachable by all tran- 
sition interleavings, while exploring only one interleaving, and thus fewer states. 
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3.2 Related Work 

Partial order reduction has been investigated by Yoneda and Schlingloff 
for time Petri nets, which have earliest and latest firing times associated with 
transitions and are thus less expressive than timed automata. The logic used for 
specifications is similar to LTL/\, but the dependency relation between transi- 
tions uses run-time information about the time component of the current state. 
Lilius Q improves on this technique by not storing the transition firing order 
in the timing constraints and reducing branching in the generated graph. 

For timed automata, Pagani shows that in many cases timing in- 

troduces dependencies and reduces the amount of partial order reduction. The 
analysis is limited to deadlock detection. Dams et al. Q handle some of these 
cases, generalizing the notion of independence and selecting at a state those 
transitions whose executions cover the result of exploring other interleavings. 

Belluomini and Myers | use an event model with lower and upper time 
bounds associated to transitions. Timing information is represented in the form 
of partially ordered sets, reducing the number of generated time zones. However, 
their analysis does not reduce the number of explored transition interleavings. 

The method from which we draw most is that of Bengtsson, Jonsson, Lilius 
and Wang They define a local-time semantics based on desynchronized execu- 
tion of the component automata and local time delays, with additional reference 
clocks to model synchronization. In this model the same independence conditions 
as in the untimed case apply, and an algorithm is given to decide the reachability 
of a local control state. 



3.3 Local-Time Model 

We revisit the local-time model of Bengtsson et al. H using somewhat different 
notations and prove several results underlying its use in model checking. 

Consider the interaction of action and delay transitions. The enabling of an 
action transition and the resulting state change depend only on the state of the 
participating automata. Hence, two action transitions with disjoint active sets 
are independent. On the other hand, a delay transition changes the state in all 
automata by incrementing the values of all clocks. It is therefore dependent on 
any action transition that also changes clock values (specifically, resets clocks). 

However, one can view a global delay transition as a set of simultaneous 
transitions with equal delay in all component automata. This suggests that time- 
induced dependencies can be removed by separating a global delay transition 
into individual transitions for each component automaton, without requiring 
their simultaneity. To this effect, local passage of time is introduced as follows: 

For a clock valuation u, d G IR and i S 1, n, define the clock valuation v +i d 
by: {v +i d){x) = v(x) + d for x G Ci and {v +i d){x) = v{x) otherwise. 

A local delay transition increments only the clocks in automaton Ai. We 
identify it with a pair (d, i) G = IR"'' x l,n, define active(^i) = {i} and 
denote % = Td For i S l,n, define the functions delay ^ : % i— > IR'*' as 
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follows: delayi(^i) = d, dday^{'^j) = 0 for z ^ j, and delay^{-^) = 0 for a G T. 
They indicate the delay caused by a transition in a component automaton. 

Definition 8 . The local-time model L{A) for a network of timed automata A = 
Ai II ^ 2 ||...|| is a state-transition graph with state set S, initial state set 
and execution traces a = (s°, ^ (s^, ... 3- (s^, v^) . . . starting from a 

state (s°, G and satisfying one of the following conditions for any k > 1 .- 

• Tfc = (d, z) G Ta, +i d and Vd' G [0, d]./j(sf)(z;^ + d'), or 

• Tk e T, (s'"“\z;''“^) ^ {s'^,v'^) and YaZi delay i{Ti) = YdZi delay ^{ ti) for 
all i, j G active{Tk) 

The first case is a local delay transition '^i (s^) in automaton Ai. 

In the second case, an action transition ^ (s^, is executed, under 

the additional constraint that the elapsed time (the sum of delays) is identical 
for all automata in the active set. (For a local action transition, this additional 
constraint is void) . In both cases, the transition Tk is said to be enabled after the 
execution of ak-i- Denote by enabled{a) and enabled* {a) the set of transitions 
and transition sequences, respectively, that can follow a finite trace a. 

For a finite execution trace a = (s°,u°) ^ (s^,u^)... ^ (s, ^^), define 
timei{a) = to + Y^i=i delay^Ti), where to G JR"*" is an arbitrary timepoint at 
which the execution of a starts. Then, timei{a) (or timci, when a is implicit) 
denotes the timepoint reached in Ai after executing a. The local configuration 
of Ai reached by a is the tuple cfgZa) = (sj, uz, tzmez), where Vi denotes the 
restriction of v to the clocks of Ai. The global configuration of A is the tuple 
cfg{(^) = (c/ 5 i(ct), c/(/ 2 (ct), • • • , c/ 5 „(cr)), also denoted cfg{a) = (s, v, time) with 
time = {timci, tirne-i, • • • , timcn). The set of configurations is Ec = E x (IR ’’’)”. 

Note that the enabling of an action transition is defined in terms of the 
trace executed so far. The following result shows that a configuration determines 
completely the subsequently enabled transitions. The proof follows directly from 
the definitions of parallel composition and the local-time model. 

Proposition 1. The following properties hold in the local-time model L{A) for 
finite execution traces a and a' and transition r G enabled{a): 

• cfgi(a) = cfgZa') for all i G active{T), then r G enabled(a') and afg^ar) = 
cfgZa'r) for all i G active{T) 

• cfgj{aT) = cfgj{a) for all j ^ active{T), where ar denotes the trace obtained 
by extending a with the transition r. 

Consequently, two finite execution traces leading to the same configuration have 
the same enabled transitions. For a configuration 7 G Ec one can thus define 
enabled{'j) = enabled(a), where a is an execution trace such that cfg{a) = 7 . 
Likewise, the successor configuration of 7 by a transition r G enabled{a) is 
defined as the configuration reached when extending the trace a by transition r: 
succri'j) = cfg(aT). This is again independent of a and we write 7 ^ succrfy). 

We now prove the desired independence properties for transitions in C{A). In 
general, two transitions are called independent if neither disables the execution 
of the other, and the same state is reached by executing them in either order: 
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Definition 9. Two transitions ti and T 2 are independent iff for any finite exe- 
cution trace a such that ti,T2 S enabled (a) the following two conditions hold: 

• Enabledness: T2 G enabled (ctti) A ti G enabled{aT2) 

• Commutativity: fin{aTiT2) = fin{aT2Ti) A enabled* {a T1T2) = enabled* {a T2T1) 
where fin {a) denotes the last state on the trace a. 



Theorem 1. Two (action or local delay) transitions ti,T2 G Ti that involve 
disjoint sets of automata (active{Ti) n active{T 2 ) = %) are independent. 

Proof. For all j G active{T2), we have j ^ active{Ti), hence cfg^{aTi) = cfg^{a). 
Therefore, T2 G enabled(a) ^ T2 G enabled {a ti) ^ and symetrically for t\. Also, 
since active{Ti) n active{T 2 ) = 0 , each local configuration is changed at most 
once, either by t\ or by T 2 , irrespective of their ordering. Therefore, cfg{aTiT 2 ) = 
cfg{aT 2 Ti) and fin{aTiT 2 ) = fin{aT 2 Ti). Since the enabled transitions are deter- 
mined by the reached configuration, enabled* {a T1T2) = enabled* {a T2T1) . □ 

A finite trace a in C{A) is called synchronized if timei{a) = timej{a) for 
all i,j G l,n, i.e., if all automata have executed for the same amount of time, 
denoted by time {a). The following theorem relates the reachable state spaces of 
the standard and local-time models (cf. Q): 

Theorem 2. Each state reachable in 5(A) is also reachable in T(A). Moreover, 
each state reached by a synchronized trace in C{A) is also reachable in 5(A). 

Proof. First, any trace in 5(A) yields a trace in £(A) by replacing each global 

delay transition with the sequence of local delay transitions 

The reverse implication follows by induction on the number of action transi- 
tions in the trace <7/ of T(A). For the base case, if cr/ is synchonized and contains 
only local delay transitions, they sum up to the same total delay d. Then, fin(ai) 

is reachable in 5(A) by executing the global delay transition 

For the induction step, let a be the action transition in cr/ executed at the 
latest timepoint, ta < t = time{ai). In every automaton, cr/ ends with local delay 
transitions totaling at least t — ta. Removing this delay in every automaton yields 
a synchronized trace a[ with time{a[) = t a. In cr(, a is the last transition in all 
participating automata. Its removal yields a synchronized execution trace cr" 
with fewer action transitions. By the induction hypothesis, fin{a'() is reachable 

in 5(A), and fin{ai) is reachable from it by executing -A followed by □ 



3.4 Local-Time Zone Automaton 

An analogue of the zone automaton Q, which represents sets of timed states 
using clock constraints can be derived for the local-time model Q. A local-time 
zone is a convex set of configurations z G Ec with the same control state. A 
transition is enabled in a zone iff it is enabled in some configuration in the zone: 
enabled{z) = {t G T \ 3^ G z. t G enabled(j)}. The successor of a zone z by a 
transition r G enabled(z) is succr(z) = {succr('j) | 7 G z A r G enabled('j)}. 
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For the standard zone automaton, an exploration step consists of an action 
transition followed by a delay transition of arbitrary amount. For the local-time 
model, we combine an action transition with subsequent delay transitions in all 
automata belonging to its active set, and show: 

Proposition 2. For any finite execution trace a, there exists a trace o' with 
the same final configuration, which starts with a local delay transition in each 
component automaton, after which every subsequent action transition is followed 
by local delay transitions in all participating automata. 

Proof. A delay transition commutes with any other delay transition, and 
with action transitions a for which i ^ active(a). Thus, a delay transition can 
be moved towards the beginning of the execution trace a (merging consecutive 
delay transitions in the same automaton) until the preceding action transition 
involves the same automaton, or there are no preceding action transitions. □ 

Based on this result, we define the zone successor operation as follows: 

succf{z, a) = {7fc G Ac I e z, 3di„, ■■ ■ G M+. 7 7' 7i ■ ■ ■ 7fc} 

where active{a) = {zi, Z2, ■ ’ ’ j *fc}- An initial local-time zone is the set of all 
configurations reachable from an initial state by a sequence of delay transitions: 

initf{s°) = {cfg{o) \ , • • • , e IR+.(t= (s°,0c) ^ (s°,u^)...^ (s°,u")} 

If succf{z) = {7' I 37 G z, 3d G M'*'. 7 7^} is the successor by an arbitrary 

local delay, then initf{s°) = {succ^ o ... o swccf )(7°(s'^)) and succf{z,a) = 
{succf^ o . . .0 succ^ o succa)(z), where o denotes function composition. 

Definition 10. The local-time zone automaton Zi{A) for a network of automata 
A is a tuple (Zi, Z^, succf), with = {initf(s^) \ s° G the set of initial 
local-time zones, succf the successor relation defined above, and Zi the set of 
local-time zones reachable by successive application of succf from an initial zone. 

Together with Propfl this definition implies directly the following: 

Theorem 3. A state is reachable in the model C{A) iff it belongs to a zone z 
which is reachable in the local-time zone automaton ZfA). 

3.5 Representation of Local-Time Zones 

In Q, it is shown how local-time zones can be represented by difference bound 
matrices Q using one additional variable per automaton. For a class of timed 
automata, we derive an improved representation which does not need additional 
space compared to the standard zone automaton. 

The difference between two clocks is invariant to global delay transitions, 
but in the local-time model, it may be changed by a local delay transition if the 
clocks belong to different automata. However, since a transition increments 
both timci and the clocks in Ci, the value timei — Vi{x) is invariant to local delay 
transitions. Indeed, it represents the timepoint at which clock x was last reset. 
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Consider the new variables ti for z C l,n (the reference time in Ai) and tx 
for all clocks x G C (the last reset time of x). Denote Ti = {tx \ x € Ci} for 
z G Ml, 7 ;+ = T, U {ti}, T={tx\xGC} = Ur=i Ti, and T+ = U”=i T+ . For a 
configuration (s, v, time), define the valuation v : T+ — > IR’’’ by v{ti) = timci for 
z G 1, zz and v{tx) = timCi — v(x) for x G Ci. Conversely, v uniquely determines 
V and time, and (s, v) is an alternate representation for a configuration. 

Any atomic clock constraint appearing in the description of A can be rewrit- 
ten as a difference constraint over T~^ . In a difference constraint x — y ^ c, both 
clocks belong to the same automaton Ai, and x — y = {ti — tx) — {ti — ty) = ty — tx- 
Likewise, x ~< c and c ~< x are rewritten as U — tx ^ c and tx — U ^ —c. 

A local-time clock zone is the set of valuations belonging to a local-time zone. 
A zone is written as (s, ■0/) with s the control state and ipi the clock zone. 

Proposition 3. A local-time clock zone can he written as a difference constraint 
over the variables in : ipi = t„er+ tu — tw ^ Cuw 

Proof. Initially, tx = U = to, Wx e C\, i e l,n. Thus, 0/ = 

For an action transition (s, v) (s', v'), we have v'{tu) = v{tu) for u ^ Ra and 
v'{tx) = ti^ for X e Ra (with x G CiJ. We denote this by v' = v[tx UjxeRa 
and extend the notation to clock zones. Also, the enabling condition %pa holds 
for v and the reference times in Ta = {^ | * G active{a)} are equal. Thus, 
SUCCa{tpl) = {v' I {s,v) (s',z)')} = U = tj)[tx ^ kf\xeRa = 

^ A ? with Xd — {tx I X G Ra} and ^Xa 
denoting quantification over all variables in Xa. Since difference constraints are 
closed under conjunction and quantification, succaffi) is a difference constraint. 

For a local delay transition (s,v) '^i (s,v'), we have v'(ti) = v(ti) -\- d and 
v'{tu) = v{tu) for all tu G \ {tff. Denote this hy v' = v-\-id and the successor 

of 0/ after an arbitrary delay as 0/t|''= {v' \ 3v G 'tpi,3d G IR"''. v' = v -\-i d}. 
We have 3c? G El’'’. ipi[ti — d/ti] = 3t' G IR’*’. z/j/lt'/tJ At) — ti < 0, where 

e\yjx\ denotes substitution of y for x in e. Since (s, v) (s, v') iff v' = v-Gid and 
Ii{si){v') holds, we have succfffi) = 0/lj-' Ali{si), again a difference constraint. 
Combining action and delay steps, we obtain the relation: succf {ipi, a) = 

ti = tj] tx = A f\i^active(a) 

This representation of a local-time zone is monolithic and relates reset times 
of clocks to reference times in all automata, using n auxiliary reference times. 
For a certain class of networks, we prove the following simpler representation: 

Proposition 4. If each synchronization transition in a network of automata A 
resets at least one clock in each participating automaton, a local-time clock zone 
has the form 0/ = iPa{T) A AT=i ’’Pi{Ti, U), where: 

• ^a{T) = At:,^tyGT tx-ty< c^y, with c^y G ^ 

* ti) — tx ^ Cix tx ti Cxi) with Cix-, Cxi ^ ^ 

We call A a sync-reset network of automata. The term fjAiT) relates pairs of 
two reset times, while tpi(Ti,ti) relates ti to the reset times in automaton Ai. 
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Proof. The initial zone is written as: initf{s^) = /\^ {tx — ty) A Ai = l 
For succf , the term ipi^ipa^/\t. t^eT ~ from Propflhas the required form, 
save for ti = tj. Quantification over Xa adds constraints between ti and for 
i G active{a),tz G T. By assumption, for every i G active{a), a clock x G RaPCi 
is reset, yielding tx = U. Hence, constraints on U — can be included in Azi 
as constraints on tx — Finally, executing f]'* for i G active{a) removes the 
equalities U = tj, and adds constraints on t^ — tj with z ^ Cj. Likewise, these 
can be replaced with t^ — ty for y G RaPCj, which are in the desired form. □ 

Clock constraints are usually represented as difference-hound matrices Q, 
which are indexed by clock variables and whose elements are bounds, i.e., pairs 
(^, c) corresponding to an atomic clock constraint. The component ip^ of a local- 
time zone can be represented as a DBM of dimension ICI (the total number of 
clocks). Each constraint ipi requires 2 * \Ci\ time bounds, for a total of 2 * ICI, 
i.e., an additional row and column. Thus, ipi can be represented by a matrix of 
dimension \C\ -\- 1, the same size as the DBM used in the standard algorithm. 
However, only the submatrices corresponding to individual automata (with ref- 
erence time) and the submatrix for Azi (without reference times) are subject 
to DBM operations. The successor computation is done first on the submatrix 
corresponding to the active automata (after enforcing the synchronization con- 
straints ti = tj). Strengthened constraints may lead to the recanonicalization of 
if A and possibly of submatrices for other individual automata. 

If an automaton in the network has synchronization transitions that do not 
reset clocks, an additional clock can be inserted into the automaton for this 
purpose. This transforms any network of automata into a sync-reset network, 
with potentially fewer than n additional time variables. 



3.6 Preservation of LTLa Formulas 

Since in the local-time model C{A) the execution order of transitions is relaxed, 
C{A) accepts a richer set of behaviors than 5 (a 1). This section establishes restric- 
tions on the local-time model which ensure that each of its traces is equivalent 
to a trace of the standard model with respect to a given LTLa formula ip. 

We extend LTLa to the local-time model by defining the satisfaction of an 
atomic time constraint in a configuration: (s,v) \= x — y ^ ciS v(ty) — v(tx) -< c. 
For X G Ci and y € Cj we have v(ty) — v(fx) = {timcj — v{y)) — {timci — v(x)). 
Thus, in a synchronized configuration, the semantics is the same as in 5(H). The 
transitions which affect the truth value of a formula are identified as follows: 

Definition 11. (Visibility) A transition (s, v) —>■ (s' , v') is invisible with respect 
to a specification (p if every atomic subformula of p that has the same truth value 
in (s,v) and {s',v'). A transition which is not invisible is called visible. 

A transition in C{A) is visible if it connects two states which differ by at least 
one atomic proposition in the specification or it resets at least one clock in the 
specification, affecting the truth value of a difference constraint. Delay transitions 
are invisible, since they don’t change the control state and don’t reset clocks. 
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For a network of timed automata A and a formula (p in LTL^ denote by 
the set of those traces of C{A) which satisfy the following properties: 

• Ordering (O): Visible transitions occur in increasing order of their execution 
times. That is, in any trace a C !F‘^{A), for visible transitions Tk and r/ with 
k < I, we have time{Tk) < time{Ti) (where time{T) is the execution time of r). 

• Fairness (F): Time progress is unbounded in all automata. That is, for any 
trace a G T"^{A), z G 1, n and M G IR'*', there exists fc G IN with timei{ak) > M. 

Theorem 4. Given an LTL/\ formula (p, for any execution trace in 5(A) there 
exists an execution trace in iF'^{A) with the same truth value for (p and vice versa. 

Proof. The direct implication is straightforward: from a trace a in 5(A) con- 
struct a trace ai in C{A) by replacing each global delay transition with the 

sequence of local delay transitions The trace ct/ satisfies O, since 

no action transitions are reordered, and F, since the same delay transitions are 
executed in each automaton. Because delay transitions are invisible, this trans- 
formation preserves the truth value of (p, and a \= (p iS. ai \= (p. 

For the reverse implication, we construct a from ct/ by reordering all transi- 
tions in increasing order of their timepoints. The ordering condition O guarantees 
that no visible transitions are reordered, and the truth value of the formula is not 
changed. Delay transitions may be split and reordered so every action transition 
is preceded by equal delays in all automata. The fairness condition F guarantees 
that for all automata, local delay transitions with the needed amount exist in ct/ . 
Finally, all local delay transitions between two consecutive action transitions are 
merged into a global delay transition, resulting in a trace a of 5(A). □ 

Based on the above theorem, we proceed as follows: We first define a restricted 
local-time model C'^{A) whose traces satisfy the ordering condition O. Next, we 
construct a zone automaton Zf{A) whose states are local-time atoms, i.e., sets 
of configurations with the same truth value for all atomic subformulas of ip. We 
show a correspondence between the traces of C'^{A) and Zf (A), and then impose 
a fairness condition corresponding to F to ensure equivalence with the standard 
model. Finally, we apply a maximization to the atoms in Zf (A) to obtain an 
automaton j\4f(A) which is finite and therefore amenable to model checking. 

To preserve the ordering of visible transitions, we introduce a new reference 
variable ty, denoting the timepoint of the last visible transition executed. The 
domain of the valuation v is extended to include ty. In the initial configuration, 
v{ty) = 0. The model £“^(A) is defined in the same way as T(A), but with the 
additional restriction v(ty) < time{a) for executing a visible transition a, and 
v'{ty) = time{a) in the resulting configuration. Thus, each visible transition is 
executed at a later timepoint than the previous one, and condition O holds. 
The zone successor formula for a visible transition becomes: succ'^{tpi) = 

^ 3 ^ ^tieTa ^X^iRa ? 

For invisible transitions, the successor operation remains the same. 

The ordering condition O can also be ensured without a new variable by a 
stronger condition on the traces of C^{A). This requires a visible transition to 
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precede in time all action transitions which follow it in the execution trace and 
is enforced by the conjunct time{a) < tj. 

In this case, the zone successor formula for visible transitions is written: 

SUCc’^{tpi) = [3x„-'0A'0aAAt^,tj6ra ~ AtjGTa,tj^T„ — ^j]^/\xeRa ~ 

To perform model checking, we consider zones in which every configuration 
satisfies the same atomic subformulas of the specification ip (cf. : 

Definition 12. (Atom) Given a timed automaton A and a LTL^ formula p, 
an atom is a zone (s, ipi) such that vifty) — vift^) ^ c V 2 {ty) — V 2 {tx) c for 
all vi,V 2 G f’l (ind any constraint x — y ^ c in p. 

For each atomic clock constraint in p, consider a new atomic proposition 

= ^vk ~txk Ck- Thus, p is reduced to a next-time free LTL formula pq. All 
configurations in an atom have the same truth value for all propositions qk- The 
atoms comprising a zone {s, if i) are given by the nonempty intersections between 
Tpi and all constraints ty^, — t^f. -<k Ck, either in positive or negated form: 
atoms’^ {{s, ifi)) = {{s, (j)) \ (j) = ifi A A™=i 9fc> (t> A false, q'^ = qk or q'f, = ^qk}. 

Define transitions between atoms as follows: z z' if a S enabled (z) and 
z' € atoms'^ {succf {z , a)) , and z z if at least one local state of z has the 
invariant Ii{si) = true. We obtain an atom graph for A and the formula p: 

Definition 13. (Atom graph) The atom graph A^{A) of a timed automaton A 
with respect to formula p is a state-transition graph {Zf with Z^ the 

set of initial local-time zones, ^ the atom transition relation and Zf the set of 
atoms reachable from Zf by repeated application of^. 

Then, our problem reduces to LTL model checking: 

Proposition 5. For each execution trace ai ofC‘^{A), there is an atom sequence 
in A^{A) that has the same truth value for pq as ai has for p and vice versa. 

Proof. The proof is based on reordering transitions as in Propfl(cf. also ^3), 
with transitions corresponding to series of action-delay transitions in C'^{A). 
In addition, =l> transitions correspond to delay transitions in automata which 
remain indefinitely at a state with the invariant true. Again, the ordering con- 
dition O ensures that the truth value of the formula is preserved. □ 

We now restrict the zone execution sequences such that the execution traces 
included herein satisfy the fairness condition F. Otherwise, the local-time model 
may contain traces that stop executing some automata and do not correspond 
to any trace in the standard model. The fairness condition F is violated if the 
execution trace does not make infinite time progress in some automaton, i.e., if 
the growth of a clock is always restricted by a state invariant. This cannot happen 
if any clock which is infinitely often limited by an invariant is reset infinitely 
often, allowing time to diverge. The fairness constraint can thus be written in 
terms of the structure of the automaton, AxgC GYx. bounded GFa;. reset. The 

model checking problem on the initial network of automata is thus reduced to 
LTL model checking of a finite Kripke structure with a set of fairness constraints. 
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A stronger fairness constraint restricts the atom graph A‘^(A) to zones that 
are synchronizable, i.e., contain at least one synchronized configuration (with 
v{ti) = v{tj) for all € 1, n). This ensures that no more zones are explored in 
the local-time zone automaton than in the standard zone automaton, and the 
reduction is applied to a state space which is not larger than the original one. 
This guarantee comes at the expense of an additional check for the enabledness 
of transition => in a given atom z, namely that succf(z, a) be synchronizable. 

3.7 Building a Finite Model 

The local-time zone automaton can be infinite, since difference bounds on clocks 
can become arbitrarily large. In a finite quotient is shown to exist, but no 
method to compare local-time zones for equivalence is given. We show that, just 
as for the standard zone automaton, the actual value of time bounds does not 
affect the enabledness of transitions, once a certain value is exceeded. Hence, 
each local-time zone can be normalized to obtain a finite model. 

We adapt the maximization (rounding) operation described, e.g., in Q to 
the local-time model. Let Cmax be the maximum absolute value of all constants 
in the automaton A and the formula (p. Adapting the region graph construction 
of B, two valuations v and v' are called region- equivalent (written v — reg v') if 
for any time variables t^Av G ■, either [u(tu) — v{ty)\ = [u'(tu) — v'{ty)\ or 
both differences have the same sign and are greater in absolute value than Cmax- 
Region equivalence extends to configurations by defining (s, u) ~reg {s' ,v') iff 
s = s' and v ~reg v' ■ Regions are the equivalence classes induced by ~reg on the 
set of configurations Sc- It is straightforward to show: 

Lemma 1 . Let v —reg v' ■ Then: 

1. If Ip is any constraint in A or in the speeification (p, then v £ ip iff v' £ ip. 

2. For any cloek set R, i-^ 0 ] ~reg v'[R 0 ]. 

3. For z G I, n and d > 0 there exists d' > 0 such that v -\~i d —reg v' +i d' . 

Since LemmaHcovers all operations involved in executing a transition, the 
following property follows (cf . Q) : 

Proposition 6. Let 7 —reg "f' be two region- equivalent configurations in Sc- 

1. 7/7 71, there exists Ai —reg 7i such that A I'l- 

2. If 7 7i , there exists d' G IR"'’ and 7^ ~reg 7i such that 7' 7^ . 

The maximization of a zone z is the set of configurations which have some 
region-equivalent configuration in z: max(z) = {7' G Sq | 37 G z. 7 ~reg 7 ^}- 

A maximized zone is therefore a convex union of regions. It is easily seen that 

a maximized zone is obtained from the canonical representation of a zone by 
modifying all constraints involving constants Sc' with d > Cmax^ ty — ty ^ —d 
becomes ty — ty < — c„iax and ty — ty d becomes ty — ty < 00 (trivially 
true). Furthermore, by point (1) of Lemma H a maximized atom is in turn an 
atom. Define succf^{z, a) = max(sMccf (z, a)) and let A4f {A) be the atom graph 
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induced by succf^ through repeated application from an initial zone. Since the 
constants in a maximized zone are bounded, it follows that A4f(A) is finite. 

By Prop.^ the same transitions are enabled in every point of a region. Since 
a maximized atom is the closure of an atom with respect to region equivalence, 
this implies that the atom graph A^{A) and the maximized atom graph graph 
are bisimilar. Putting the previous results together, we obtain the fol- 
lowing theorem, which reduces our initial problem to LTL model checking with 
fairness constraints on a finite model: 

Theorem 5. The model with the fairness constraint F is equivalent to 

the standard model 5(^) with respect to the formula ip. 

3.8 Partial Order Reduction 

Partial order reduction constructs only a representative part of the state space 
of a model, while preserving the verified property. This is done by exploring a 
subset of the enabled transitions at each states, instead of the entire set. Several 
criteria for choosing the subset of explored transitions have been developed. We 
follow the approach of Peled in which the selected transitions are denoted 
as an ample set and have to satisfy the following conditions: 

CO Emptiness: ample{s) = 0 iff enabled(s) = 0. 

Cl Ample decomposition: On any path from any state s, a transition in ample(s) 
appears before the first transition dependent on a transition in ample(s). 

C2 Invisibility: If ample(s) yf enabled(s), all transitions in ample(s) are invisible. 
C3 Cycle closing: A transition enabled in every state of a cycle in the reduced 
state graph belongs to the ample set of some state on that cycle. 

Having established the visible transitions in the model A4f(A), one needs to 
determine the transition dependence relation. Bengtsson et al. Q give a purely 
structural dependence relation, identical to that for untimed parallel composi- 
tion: two transitions are independent if the two sets of automata involved in each 
of them are disjoint. This condition is sufficient for the local-time model T(A), 
as shown by Theorem^ Since transitions in the zone automaton are composed 
of action and local delay transitions in the local-time model, the commutativity 
relation also follows for the zone automaton: 

succf(succf(z, a), b) = succf(succf(z,b),o-) if active{a) n active{b) = 0 

However, in the local-time zone automaton, just like in the standard zone 
automaton, transitions which are both enabled in a zone may actually be enabled 
in different sets of configurations belonging to that zone. 

Let Al and A 2 be two automata with clock sets {x,u} and {y,v}, and con- 
sider a zone that is reached after executing two synchronization transitions, one 
resetting x and y, and the second resetting u and v. Thus, we have tx = ty and 
tu = t„. Assume now that transition a in Ai has enabling condition x — u = 
tu~tx < 2 and transition b in A2 requires y—v = ty—ty > 3. Since ty—tx = ty—ty 
due to the previous synchronizations, the two conditions cannot be satisfied si- 
multaneously. Exploring either of ^ and restricts the current local-time zone 
to a fragment where the other transition is no longer enabled. 
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Consequently, when selecting an ample set of transitions, one needs to check, 
just as for full state exploration, whether for every configuration in the current 
zone each of the explored automata is either be forced to execute an action 
transition or allows indefinite time progress. Otherwise, a potential deadlock 
exists. For a local transition, this check can be made statically by analyzing 
the invariant of the originating state together with the guard condition of the 
transition. This gives us a practical condition for the selection of an ample set: 

Proposition 7. In a sync-reset network of automata, a local transition in a 
process with a single clock does not disable transitions in other automata. 

Proof. Given local transition a in automaton Ai with a single clock x, the con- 
straints in the enabling condition of a can be of the form t^—ti -< c and ti—tx -< c. 
In a sync-reset network of automata, the representation of a local-time constraint 
links ti only to clocks in the same automaton, i.e., to t^. Therefore, the conjunc- 
tion ifi A tpa does not induce stronger constraints on the other time variables and 
does not affect the enabledness of transitions in other automata. □ 

Based on the above results, we can use the ample set approach to con- 
struct a reduced model for the automaton A4f (A), and perform model checking 
by composing it with the tableau for the LTL formula 

4 Conclusions and Future Work 

We have presented a method that allows the application of partial order re- 
duction to systems modeled as a composition of timed automata. The method 
results in reduction in the state space, as well as in the number of clock zones 
that are generated for each control state. Compared to previous related work, 
this paper shows that partial order reduction can be used for model checking of 
properties described in a timed extension of linear temporal logic, rather than 
just for local reachability analysis. Furthermore, for a certain class of automata, 
we show that the local-time zones can be represented as efficiently as standard 
clock zones. We also analyze the dependence relation between transitions in the 
new model and give practical conditions for selecting an ample set. 

An implementation of the presented algorithm is in progress, and we expect 
it to support the theoretical claims for efficiency improvement with experimental 
results. We also plan to extend the technique to models with other variants of 
synchronization, such as timed automata with deadlines. Of particular interest 
is a detailed comparison of the present approach with techniques developed for 
other timed models, such as time Petri nets and timed event level structures, 
and possible improvements that can result from here. Finally, we plan to explore 
how partial order reduction can be used for other finite quotient representations 
of timed automata, such as the region graph construction. 
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Abstract. We present several interpretations of the behavior of P/T 
nets in terms of traces, event structures, and partial orders. Starting 
from results of Hoogers, Kleijn and Thiagarajan, we show how Petri 
nets determine local trace languages; these may be represented by local 
event structures in many ways, each method leading to a particular core- 
flection. One of these semantics is finally proved to be appropriate for 
the construction of a behavior preserving unfolding of Petri nets. 



1 Introduction 

Petri nets are a well-known and widely used model for concurrent systems. Sev- 
eral interpretations of their behavior have been studied in the literature since 
the seminal papers of Mazurkiewicz Q and Nielsen, Plotkin and Winskel Q. 

As far as Place/Transition nets are concerned, two different interpretations 
have been followed. On the one hand, Meseguer, Montanari and Sassone 
have adopted the “individual token philosophy” for which it matters which to- 
ken is used for the firing of a transition when several ones are available. In other 
words, tokens are provided with individual identities. In that way they succeeded 
to lift formally to level of Place/Transition nets the natural relationship between 
1-safe nets and prime event structures . This is based on a notion of unfolding 
by means of decorated occurrence nets which generalise Engelfriet’s branching 
processes Q. On the other hand, the “collective token philosophy” does not 
distinguish between tokens in the same place. In this direction, Hoogers, Kleijn 
and Thiagarajan have developped a trace semantics for Place/Transition nets in 
which the behavior of a net is essentially described by equivalence classes of mul- 
tiset firing sequences Q. Furthermore they have extended the strong relationship 
between 1-safe nets and prime event structures to the level of Place/ Transition 
nets and local event structures 0. Finally van Glabbeek and Plotkin Q have 
also followed the “collective token philosophy” and presented an unfolding con- 
struction for Place/Transition nets which is proved to respect several behavioral 
equivalences. 

In this paper, we adopt the second approach. We study some new semantics 
of Place/Transition nets and compare them to known ones with the help of 
examples. We present several interpretations of the behavior of Place/Transition 
nets in terms of traces, events structures and partial orders. We also introduce 
a new construction of unfolding for Petri nets which preserves and reflects the 
concurrent behaviors of the nets. 

We first explain how the trace semantics of Hoogers, Kleijn and Thiagara- 
jan J may be adapted to the simpler formalism of local trace languages 
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Following the “collective token philosophy”, the behaviors of a Petri net are 
described here by a set of equivalent firing sequences which form a local trace 
language. Moreover the local trace languages which correspond to a Petri net 
are characterized by a generalized regional criterion. 

Next we come to the core of the paper. We recall that the model of local 
event structures was introduced by Hoogers, Kleijn and Thiagarajan Q in order 
to lift to the level of Place/Transition nets the classical connection between 1- 
safe nets and prime event structures. Actually only a specific subclass of local 
event structures, required to satisfy a so-called “unique occurrence property” 
Q, was used as the framework of an event structure semantics of Petri nets. We 
give a positive answer to a question of Hoogers who suggested in his thesis a 
simpler “unique occurrence property”, and asked whether another semantics of 
Petri nets is possible with the corresponding local event structures Q p.l39]. 
As described in Fig. J in order to represent the behavior of a Petri net by a 
local event structure, we first consider its corresponding local trace language and 
then apply some recent results which link local trace languages and local event 
structures We show that the answer to Hoogers’ question relies on a new 
more sophisticated method to translate the local trace languages of Petri nets 
into local event structures. On the other hand, we prove that the corresponding 
partial orders of configurations admit a simple axiomatic characterization. 

In fact, our main result gives a solution to a more generic problem which 
provides theoretically several other event structure semantics of Petri nets for- 
malized by coreflections. Similarly to the approach of Q, each of these seman- 
tics determines a notion of unfolding. However, these constructions suffers from 
a major drawback which prevents any extension of the useful notion of finite 
partial unfolding they admit infinitely many places even if the underlying 

event structure is finite. That is why we propose a new unfolding construction 
which is similar to the classical notion of ^3 — and different from the proposal 
of H ™ that it essentially relies on an occurrence net. The main property 
of this construction is a one-to-one correspondence between the multiset firing 
sequences of a net and those of its unfolding. 

However, for technical reasons, our study mainly concerns Petri nets without 
auto-concurrency, i.e. two instances of the same transition cannot occur concur- 
rently at any marking. In the future, we should extend the results of in order 
to avoid this restriction. Moreover, the approach followed in this paper might 
also be applied to some more general classes of Petri nets, e.g. with capacities, 
read arcs or inhibitor arcs ^^9. 



2 Local Trace Languages 

In recent years, several generalizations of the classical Mazurkiewicz traces have 
been proposed in order to describe a concurrency between actions which can 
depend on the context In Hoogers, Kleijn and Thiagarajan have 

introduced generalized trace languages in order to lift the semantical theory of 
1-safe nets to the level of Place/Transition nets. We show in this section how 
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Fig. 1. Back and forth between Petri nets and local event structures. 



their results adapt to the simpler formalism of local trace languages of 
any Petri net naturally determines a local trace language; moreover the local 
trace languages which correspond to a Petri net are characterized by a so-called 
regional criterion. 

Basic Notions and Notations. We will use the following notations: for any 
(possibly infinite) alphabet S, and any words u € S* , v € E* , we write u < v ii 
u is a prefix of v, i.e. there is z G S* such that u.z = v; the empty word is denoted 
by e. We write \u\a for the number of occurrences of a € E in u € E* and pf{E) 
denotes the set of finite subsets of E. We note A4f(E) the set of finite multisets 
over E and for any multisets pi and p 2 over E, we write pi C p 2 if Va G E, 
Pi(a) < P 2 {a). For any p G Mf{E), Lin(p) = {u G if* | Va G if, |ti|a = p{a)} is 
the set of linearisations of p. If A : if ^ if' is a partial function from E to if', 
we also write A : if* — > if'* and A : M.f{E) M.f{E') to denote the naturally 
associated monoid morphisms. 

Definition 2.1. A Petri net is a quadruple Af = (S', T, IF, Min) where 

— S is a set of places and T is a set of transitions such that S n T = 0; 

— W is a map from (S x T) U (T x S) to IN, called weight function; 

— Min is a map from S to IN, called initial marking. 

Given a Petri net J\f = {S,T,W, Mi„), Mar^v denotes the set of all markings of Af 
that is to say functions M : S — > IN; a multiset p of transitions is enabled at M G 
Mar a; if Vs G S, M(s) > P{t) - W {s,t)-, in this case, we note M [p) M' where 

M'(s) = M(s) -I- ~ ^{s,t)) and say that the transitions of p 

may be fired concurrently and lead to the marking M'. A multiset firing sequence 
consists of a sequence of markings Mq,..., M„ and a sequence of multisets of 
transitions pi,..., Pn such that Mq = Mi„ and Vfc G [1, n], Mfc_i [pk) Mfc. 

Prom Nets to Traces. The fundamental principle of generalized Mazurkiewicz 
traces is that the independence relation between actions in a given configuration 
depends on the sequence of actions that lead to this configuration. 

Definition 2.2. A local independence relation on E is a non-empty subset I 
of E* X AAf(E). The trace equivalence ^ induced by I is the least equivalence 
on E* such that 

TEi .• Vu, u' G if*, Va G E,u u' => u.a ~ u' .a; 

TE 2 .‘ V(u,p) G /, Vp' C p, Vui, U 2 G Lin(p'), u.ui ~ u.V 2 - 
A (local) trace is an ^-equivalence class [u] of a word u G E* . 

Consider for instance the Petri net Afi of Fig.^ In the initial marking, transitions 
a and c can be fired concurrently whereas the step {a, b} is not enabled; thus 
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the associated local independence relation / should satisfy (e, {a, c}) G I and 
(e, {a, 6}) ^ I. Yet, after c has fired, a and b become independent so (c, {a, 6}) G 
I. More generally, we adopt naturally the following definition. 

Definition 2.3. LetAf = (S', T, ID, Min) be a Petri net. The assoeiated loeal in- 
dependenee relation is Ij^ = {(ai...a„,p) G T* xA4 f(T) \ Min [oi) Mi... [an) Mn 
A p is enabled at M„}. 

A local independence relation which represents a Petri net clearly satisfies some 
natural properties, formalized by Axioms LTLi,..., LTL 4 of the next definition, 
which make it eomplete in the sense of Therefore it corresponds to a local 
trace language as defined in and is naturally associated to a prefix-closed 
set of sequential observations defined by Axiom LTL 5 below. 

Definition 2.4. A local trace language (LTL) over S is a strueture C = 
(A, /, L) where L C E* and I is a loeal independence relation on S such that 
LTLi.' {u,p) G I A p' p^ {u,p') G I; 

LTL 2 ; {u,p) G I A p' C p A V G Lin(p') => {u.v, p\p') G I; 

LTLa.' u ~ u' A (u,p) G I ^ (u',p) G I; 

LTL 4 .' (u.a, 0) G I ^ {u, {a}) G /; 

LTLs.' u G L (u, 0 ) G /. 

The local trace language associated to a Petri net N = (S, T, W, Min) is t(A/") = 
{T,I_\f,L) where the local independence relation Ij\f is defined in Def.^^^and 
the set of sequential observations is L = {u G T* \ (u, 0 ) G I^/}. 

For instance, the local trace language corresponding to the Petri net A/i of Fig.J 
admits eight traces (depicted in Fig.^ which are equivalence classes of sequential 
observations. 

... and Back. Now, the characterization of the local trace languages which 
correspond to a Petri net is known to rely on a notion of region Q. 

Definition 2.5. A region of C = (E,I,L) is a triple p = {Mavp, Prep, Postp) 
where MaVp, PrCp and Postp are maps: MaVp : L — > IN, PrCp : E — > IN, 
Postp : A — > IN such that 

Reg^.' Vu G L: Marp{u) = Marp{e) + \u\a.{Postp{a) - PrCp{a)); 

Reg 2 - V(u,p) G I: Marp(u) > p{a).Prep{a). 
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A region p is trivial if Va G S, Prep{a) = Postp{a) = 0. We denote by TZc the 
set of non trivial regions of C. Note here that the map Mavp is entirely specified 
by Marp{s), PrCp, and Postp. 

Theorem 2.6. A local trace language C = is the language of a Petri 

net iff it satisfies the following regional condition: 

Vu e L, Vp e Mf{U): (Vp G TZc, Marp{u) > p(a).Prep(a)) ^ (u,p) G /. 

Moreover, in this case, L is precisely the language of the Petri net n(£) = (JZc^ 
E, W, Min) such that 

W :{nc X A) U (A X 7^£) ^ IN :7^£ ^ IN 

(p, a) I— !■ Prep{a) p i— > Marp(e) 

(a, p) I— > Postp{a) 

Proof. We establish a correspondence between the local trace languages of Def. 
^3^'^el the generalized trace languages of Q which satisfies axioms (HI), (H2), 
(H3), (PiVl), (PN2), and (PiV3) of that paper. Then the regional criterion 
(PNA) of B adapts to the local trace languages and regions presented here. □ 
We should stress here that the Petri net n(£) associated to a local trace 
language C appears to be the maximal Petri net whose language is £ — in 
particular it admits an infinite number of places. This property will allow to 
prove that n is the left adjoint of the translation t (Def.^Hand Th.^3. However, 
some approaches, such as the synthesis problem of bounded nets P, use a limited 
number of regions and places. This will be also the case in the third section of 
this paper devoted to a notion of unfolding for Petri nets. 

Universality of the Constructions. We provide here Petri nets and local 
trace languages with behavior preserving morphisms and adapt again results of 
Hoogers’ thesis Q to obtain a coreflection between the two models ^3- 

Definition 2.7. QEI ^ morphism from Af = {S, T, W, Min) to Af' = (S' ,T', 
W', is a pair {a, (3) of partial functions a : T ^ T' and P : S' ^ S such 
that 

— Vs' G S' , if P(s') is defined then M'„(s') = Mi„(/3(s')), 

-ytGT, Vs' G S', W'{s',a{t)) = W{P{s'),t) A W'{a{t),s') = W{t,P{s')), 
with the convention that W{x,y) = 0 if x or y is undefined. 

We denote by PN’*’ the category of Petri nets. 

Local trace languages are equipped with morphisms which preserve indepen- 
dencies between actions. 

Definition 2.8. A morphism X from C = (E,I,L) to C = {E' ,1', L') is a 
partial function X : E ^ E' such that \/{u,p) G I, (A(u), A(p)) G I'. We denote 
by LTL'*’ the category of local trace languages provided with these morphisms. 

The synthesis problem solved by Th.^Hcan now be expressed in a categorical 
framework. 

Theorem 2.9. The full subcategory LTLppj of local trace languages satisfying 
the regional condition of Th.^^^is corefiective into the category of Petri nets. 
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Fig. 5. From co-safe Petri nets (PN) to yr-singular local event structures (LES.^). 



Proof. The maps t : PN"*" ^ LTLppj and n : LTLppj ^ PN'*' extend to ad- 
joint functors which form a coreflection: LTLpj^ M> PN'*’. This results from an 
isomorphism between LTL’*' and the category of local trace languages of @ . □ 

Connection with the Next Sections. In the rest of this paper, we exclude 
auto-concurrency from the behavior of Petri nets; thus we restrict our study to 
the class LTL of local trace languages C — {E,I,L) such that whenever {u,p) G I 
then p is a set. Consequently, and following for the same technical reasons, 
we will only consider co-safe Petri nets, that is to say nets whose corresponding 
local trace language is without auto-concurrency. 



3 Local Event Structures 



In this section, we study some new connections between co-safe Petri nets and 
local event structures. Introduced in Q, this model is a powerful extension of 
classical event structures. Actually only a specific subclass of local event struc- 
tures, required to satisfy a so-called “unique occurrence property”, was used by 
Hoogers, Kleijn and Thiagarajan as the framework of an event structure seman- 
tics of co-safe Petri nets. The aim of this section is to give a positive answer to a 
question of Hoogers who suggested in his thesis Q p.l39] a simpler “unique oc- 
currence property” and asked whether another semantics of Petri nets is possible 
with the corresponding local event structures. 

In order to represent the behavior of a Petri net by a local event structure, 
we will first consider its corresponding local trace language defined in Section 1 



(Fig-0 and then use some recent results of 
between local trace languages and local event structures (Fig. 
Hoogers’ suggestion and the local event structure semantics of 



which establish a generic link 
In that way, 



appear as two 

instances of a more abstract problem. Then we observe that the semantics of Q 
immediately results from Section 1 and the main result of Q whereas Hoogers’ 
question does not: as shown by an example, this latter needs a more sophisticated 
method to translate local trace languages of Petri nets into local event structures. 
On the other hand, the corresponding partial orders of configurations admit a 
simple axiomatic characterization (Th.^^Q. 

In fact, our main result (Th. gives a solution to the more abstract 

problem which provides theoretically several other event structures semantics of 
Petri nets, one of which will be studied in details in the third section. 



Local Event Structures Are Co-safe Petri Nets. Local event structures 
were defined in Q as families of configurations of events provided with an en- 
abling relation which specifies the local independencies between events. 
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Definition 3.1. A local event structure (LES) is a triple £ = {E,C,\~) where 
E is a set of events, C C pf{E) is a set of finite subsets of events called config- 
urations and he C X pf{E) is an enabling relation such that 
LESi .■ (0 h 0) A (Ve G £1, 3c S C, e G c); 

LES 2 ; Vc G C.- c 0 ^ 3e G c, c\ {e} h {e}; 

LES 3 .• \/c € C,yp G pf {E) .-chp=^cnp = 0; 

LES 4 .- Vc G C,\/p£ pf{E),\/p' C p: c\- p ^ {c\- p' f\ cVJp' p\p'). 

LESi guarantees that the empty set is always a configuration and that the en- 
abling relation is never empty. Also by LESi, each event occurs in at least one 
configuration. LES 2 ensures that every non-empty configuration can be reached 
from the (initial) empty configuration. LES 3 implies that each event occurs at 
most once and by LES 4 each concurrent set can be split arbitrarily into subsets 
of concurrent events. To each local event structure £ a set of finite sequen- 
tial observations can be associated; these are called the paths of £; formally, 
Paths(£) = {ei...e„ G if* | Vi G [l,n], {ci, ..., Ci-i} h {ci}}. As shown in Q, 
an event appears at most once along a path and each path u leads to a unique 
configuration Cfg(u) defined by Cfg(u) = {e | \u\e = !}• 

As noticed in it is easy to associate to each local event structure £ a 
local trace language [tl(£) with the same sequential observations and a local 
independence relation faithfully representing the concurrency in £. 

Definition 3.2. Let £ = (if, C, h) be a local event structure. The local trace 
language It[(£) associated to £ is [tl(£) = (if, i, Paths(£)) where I = {{u,p) G 
A* X pf{E)\ u G Paths(£) and Cfg(u) h p}. 

With help of Th.^Jand similarly to a result of Q, we establish the following 
proposition which asserts that the trace language of a local event structure is 
the trace language of a co-safe Petri net; thus any local event structure £ may 
be identified with the Petri net no ltl(£). 

Proposition 3.3. Eor any local event structure £, ltl(£) is the local trace lan- 
guage of a co-safe Petri net. 

Now the question is to build a connection in the other direction, from co- 
safe Petri nets to local event structures. In the first section, we explained how 
each Petri net naturally specifies a local trace language. Thus we just have now 
to translate local trace languages into local event structures. This is however a 
much more difficult problem. 

Abstracting Events from Local Traces. We briefly recall the method intro- 
duced in in order to associate a local event structure to a given local trace 
language C = {E, I, L). The problem is to abstract events; they are actually iden- 
tified as equivalence classes of prime intervals which are pairs (u, a) G E* x E 
such that u.a G T; we write Pr(T) for the set of prime intervals of C. 

Definition 3.4. An equivalence of prime intervals of C is an equivalence 
over Pr(£) which satisfies 

Ind.- (u, {a, 5}) G / A a ^ b ^ {u,a) [u.b, a) [Independence] 
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Cfl; {u, a) € Pr(£)A {u' , a) € Pr(£)A u ^ u' ^ {u, a) (u' , a) [Confluence] 
Lab; (m, a) (u, 5) => a = 6 [Labeling] 

Occ: u.a < v.a A {u, a) (y,a) ^ u = v [Occurrence Separation] 

Let be an equivalence of prime intervals of C. For any word u € L, the 
set of events in u is denoted by Evex£(u) = {{v,b)c \ v.b < u}, where {v,b)c 
denotes the x^-class of {v, b). As established in ^9, determines a local event 
structure h5^^{C) defined as follows. 

Definition 3.5. The local event structure [zb^^{C) is the triple {E,C,\~) where 
C = {Eve^^{u) I u G Lj, E = \JC , and 

If -i f G E , ..., Uji G A, {uj {ui, ..., Un}) G I 

c 4 ei,...,e„j- ]Eve^^{u) = c f\ Vi G [1, n], = (u, Oi)£ 



Punctuation, Singularity, and Symmetry. In order to translate any local 
trace language into a local event structure, one may simply choose an equivalence 
of prime intervals for each local trace language C and use the construction 
of Def.^n In Q, such a choice of equivalences was called a punctuation. 

Definition 3.6. A punctuation is a family of equivalences tt = (i<£)£gL'inL such 
that each is an equivalence of prime intervals of £ (Def.^^i and for any iso- 
morphism X : C ^ £' in LTL; (u, a) {v,b) (A(u), A(o^X£/ {\{v),\{b)). 

We write Ics.^. for the translation from local trace languages to local event struc- 
tures for which £ maps to hs^^{£) (Def^^^. 



We note here that the equivalences which constitute a punctuation are coherent 
with isomorphisms; this insures that isomorphic trace languages will be repre- 
sented through IcStt by the same local event structure. 

On the event structure side, each punctuation tt determines a particular 
subclass of local event structures, called 7r-singular, for which the translation Itl 
of Def^3is a right inverse of Ie5,r (see Prop. 2.9 of ^3). 



Definition 3.7. A local event structure £ is 7r-singular w.r.t. a punctuation 
T = (x£)£gLnL */Vui.e, U 2 .e e Paths(£), (ui,e) Xa[(£) (u 2 ,e). 



Singularity is a central notion in this section because it is bound to the “unique 
occurrence properties” of ' ' . Consider first the punctuation History tt^ = 



(Def.d|[ < 



such that each is the least equivalence over Pr(£) satisfying Ind 
and Cjc (Conjunction): 

CJc : {u, a) G Pr(£)A {u' , a) G Pr(£)A EvCx£(u) = EvCxc(uO {u' , a) 

It is clear that satisfies Cfl, Lab and Occ; moreover the local event structures 
satisfying the “unique occurrence property” of ^ are precisely the -singular 
local event structures. This is not surprising because History was inspired by the 
rule of identification of events used in Q. For instance, the local trace language 
£i — depicted in Fig. H — describes the behaviors of Afi of Fig. Hand admits 
four events according to History: (e, a), (e, 6), (e, c), and (b,a). 

Consider now the punctuation Configuration = (><2:)z;GLnL such that each 
is the least equivalence over Pr(£) which satisfies Ind and the following con- 
dition: 
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[(u, a) € Pi'(^) A {u' , a) € Pr(£) A G S, \u\x = \u'\x] => {u, a) Xc {u' , a). 
This punctuation will play a central role here because the local event structures 
satisfying the alternative “unique occurrence property” o/J p. 139] are precisely 
the TT^-singular local event structures. The point is that for any local event struc- 
ture, if u and u' are two paths leading to a same configuration which enables a 
then {u, a) and (u', a) should be identified. For instance the local trace language 
£2 of Fig.Jadmits five events according to Configuration, but six events w.r.t. 
History. Note also that for any local trace language £, Cx^-. 

Now on the side of traces, an interesting subclass of local trace languages 
consists of those which are symmetric w.r.t. a punctuation: 

Definition 3.8. A local trace language C = (E,I,L) is 7r-symmetric w.r.t. a 
punctuation it if {u,p) G I A Eve^^{u) = Eve^^{u') {u' ,p) G I. 

A crucial point here is that any trace language describing a Petri net is tt- 
symmetric w.r.t. any punctuation it because if Evexc(u) = Evexc(wO then u 
and u' contain the same actions and lead to the same marking. 

Prom Co-safe Petri Nets to 7r-Singular Local Event Structures. We now 

reach the core of this section. The problem is to connect the local trace languages 
of Petri nets with the 7r-singular local event structures w.r.t. a given punctuation 
7T (Def. ^3and Fig.^. For instance, such a connection w.r.t. the punctuation 
Configuration tt“ would lead to a positive answer to Hoogers’ question. Now as far 
as History tt^ is concerned, this was achieved in | and results also immediately 
from the main result of which asserts that any 7r^-symmetric local trace 
language determines through IcSt^h a 7r^-singular local event structure. Thus, we 
obtain the connection described in Fig.fl the 7r^-singular local event structure 
associated to a Petri net N is ks^^h o t{N) . 

However, this is not always so easy, in particular with the Configuration 
punctuation n“. Consider for instance the Petri net A /2 of Fig.^Eind its corre- 
sponding local trace language £2 depicted in Fig.H we observe here Ie5^o(£2) 
is not Tr'^-singular: the point is that (a&, d) {ba, d) but 

((e,a).(a,6), (ab,d)) ((e, />)■(/>, a), (ba,d)). 

Therefore the connection depicted in Fig. does not hold with tt“. However, 
in order to obtain a positive answer to Hoogers’ question, we have to link co- 
safe Petri nets with 7r°-singular local event structures. For that, we will exhibit 
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a punctuation for which the connection of Fig. H holds and such that 7t°- 
singular local event structures are precisely 7rl-singular local event structures. 
In fact, we tackle here the more abstract problem which consists in translating 
local trace languages of co-safe Petri nets into 7r-singular local event structures. 
However, for technical reasons, we will restrict our study to stable punctuations. 

Definition 3.9. A punctuation tt = (><£)£gLTL stable if any local trace lan- 
guage C G LTL satisfies Cjc.- 

{u, a) G Pr(£) A {u' , a) G Pr(£) A Eve^^ (u) = Eve^^ (u') => {u, a) {u' , a), 
and if for any morphism X : C C' in LTL.' 

(u,a) (v,b) (A(w),A(a)) X£/ (A(u),A(5)). 

Note here that History and Configuration are stable. The crucial technical lemma 
of this section is the following. 

Lemma 3.10. For any stable punctuation tt = (><£)£gLTL) there is a stable punc- 
tuation 7t 1 = ( xt I which satisfies the three following properties: 

V ^/cgltl 

— TT^ -singular local event structures are exactly n -singular local event struc- 
tures; 

— for any local trace language L, x^Cx/;; 

— if a local trace language C is irEsymmetric then Ie5„t (£) is tt - singular. 

'~'C 

Moreover, if C is the local trace language of a co-safe Petri net then x^ is the 
largest equivalence of prime intervals of L such that les„t (£) is n-singular. 

Proof. For each local trace language £, we consider x^ which is the least equiv- 
alence over Pr(£) such that 

1. for any 7r-singular local event structure £, for any paths u.a, v.a of £ and 
for any morphism A : Itl(£) — *■ £: (A(u), A(a)) x^ (A(u), A(a)); 

2. x^ satisfies Cjc (Def.^3. 

Because tt is stable, xtcx^ and tt'I' = (xt ) is a stable punctuation. We 

V 

easily check that 7rl-singular local event structures are precisely 7r-singular local 
event structures. The difficult point is to prove that for any 7rl-symmetric local 
trace language £, [es,rt(£) is Trl-singular. For that we consider the morphism 
Act|- from Itfo fe5,rt(£) to £ such that (u, a)i maps to a and observe that Act|- 
extends to a bijection between Pr([tf o fes,rt(£)) and Pr(£). Then the techni- 
cal point is to check that (u,a) ^ (Act£(u), Act£(a)) x^ 

(Act^(u), Act^(5)); this implies that les,,.t(£) is ttI - singular. Finally we consider 
£ G LTLpN and x^ an equivalence of prime intervals of £ such that [es^'^(£) is 
TT-singular. Because £ G LTLpn> we can prove that the map Act^ for which each 
event (u, a}' of fes^j. (£) niaps to a is a morphism from ftfo fes^/^(£) to £. Now, 

due to Th 2.12 of Act^ can be factorized by Act|-: there exists a morphism 
A from feSx'^(£) to les,,.f(£) such that Act^ = ActJ- o A. Furthermore, a simple 
induction on |u| insures that X((u,a}') = (m, a)'^. Therefore x^Cx^. □ 

Consequently we obtain the main result of this section: each method to ab- 
stract events from traces determines a particular semantics of co-safe Petri nets. 
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Fig. 9. £3 



Theorem 3.11. Let tt he a stable punetuation. Any eo-safe Petri netAf may be 
represented by the ir-singular loeal event structure les^t ot(A/') — by means of its 
corresponding local trace language t(A/') and the punctuation tt'^ of Lemma^^^ 

Example 3.12. We consider here again the punctuation Configuration 7t° and 
the local trace language £2 of Fig. ^ according to Lemma ><£ 2— ^£2 
and [es„t (£ 2 ) is 7r°-singular; therefore (ab,d) (ba,d) whereas (ab,d) 

•^£2 

(ba,d). We should stress also here that the Petri net A /3 of Fig. Hand its corre- 
sponding trace language £3 depicted in Fig.^are represented by the Tr'^-singular 
local event structure les^c(£ 3 ) which admits 4 events whereas Ie 5 ^fc(£ 3 ) admits 
8 events; therefore tt^ and tt'^ do specify two different semantics of Petri nets. 

Universality of the Construction. We now apply the main result of Q in 
order to formalize the connection of Th.^^Jand Prop.^Hbetween 7 r-singular 
local event structures and co-safe Petri nets in a categorical framework. We recall 
first the definition of behavior preserving morphisms of local event structures. 
A morphism rj from £ = {E,C,\~) to £' = is a partial function 

T] : E ^ E' such that Vc £ C,Wp € pf{E): c h p => 77 (c) h' r]{p). We denote by 
LIES the category of local event structures provided with these morphisms. We 
also denote by PN the full subcategory of co-safe Petri nets and LTLpn the full 
subcategory of local trace languages which correspond to a co-safe Petri net. 

Corollary 3.13. Let tt be a stable punctuation. The full subcategory LES^ of 
TT-singular local event structures is corefiective into the category of co-safe nets. 

Proof. First, due to Th. 2.12 of Q and Lemma^^J we have a corefiection 
[tl : LES^ M> LTLpN whose right-adjoint is . Now the corefiection of Th. 

induces obviously a corefiection LTLpn m> PN when auto-concurrency is 
excluded from both models. □ 

Local Partial Orders versus Tr'^-Singular Local Event Structures. The 

preceding result gives, when applied with the punctuation Configuration tt'^, a 
positive answer to Hoogers’ question. Thus any co-safe Petri net may be faithfully 
represented by a 7 r°-singular local event structure. We now go further towards a 
more abstract model and give a simple axiomatic criterion for the partial orders 
associated to these particular local event structures. 
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Definition 3.14. Let £ = (E,C,\-) be a local event structure; its associated 
partial order of configurations is (C, <) where < is the least transitive and re- 
flexive relation on C such that c\~ {e} ^ c < cU {e}. 

Because the punctuation Configuration 7 t° is more general and also somehow 
simpler than History, we are able to characterize the partial orders of configura- 
tions of 7T°-singular local event structures. 

Let {D, <) be a partially ordered set. If all elements of D are larger than a 
single element x € D then x is said to be the least element, denoted by _L. For 
any x,y G D, we write x —< y if x < y and \/zGD,x<z<y^y = z. A chain 
from a; to y is a sequence zq, ..., z„ in D such that zq = x, Zn = y and Zi-i — < Zi 
for any i G [1, n]. A prime interval of (D, <) is a pair [a;, y] such that x —< y; 
we write [a;, y] —< [a;', y'] if x —< x' , y —< y' and x' ^ y. Projectivity ^-< is the 
symmetric and transitive closure of the relation ^ over the prime intervals. 

Definition 3.15. A partial order (D,<) is a local partial order if it satisfies 
the following conditions: 

M; D admits a least element _L; 

F; \/x G D, {y G D \ y < x} is finite; 

R; if [a;, y] ^-< [a;', y'] and x = x' then y = y' ; 

L.- for any chains (a^i)jg[o„] (ya)jG[ 0 m] _L to a; and y respectively: 

X = y ijf for any -equivalence class of prime interval e, 

Card{i G [l,n] | [a;i_i,a;i] G e} = Card{j G [l,m] | [y^^i^yfl G e}. 

Local partial orders satisfy some useful and classical properties. First, due to 
F, whenever x < y there is a chain from x to y. Second, for any equivalence 
class of prime intervals e and any element x, let n{x, e) denote the number of 
prime intervals in e in any chain from _L to a;; this is well-defined because of 
L; as previously remarked by Droste Axiom R implies that n(a;, e) < 1: an 
equivalence class of prime intervals appears at most once along a chain. 

Theorem 3.16. The partial order of configurations of any n'^-singular local 
event structure is a local partial order. Conversely, any local partial order is 
isomorphic to the partial order of configurations of a ir'^-singular local event 
structure. 

4 Unfolding of Co-safe Petri Nets 

In the preceding section, we established that several identifications of events 
may be used to build different event structure semantics of Petri nets. From 
a theoretical point of view, each semantics determines a particular notion of 
unfolding; precisely, given a punctuation tt, the unfolding of a net Af could be 
defined as the Petri net describing the 7r-singular local event structure associated 
to Af (Fig.J Th.^^y Prop.^3and Fig.^. However this net admits an infinite 
number of places even if the local event structure les,r ° t(Af ) admits only a finite 
number of events. That is why we present in this section a simplified unfolding 
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construction. In this direction, we will use a new rule of identification of events 
which guarantees nice behavior preserving properties (Th.^3- 

Recall first that Nielsen, Plotkin and Winskel have established that the 
behavior of a 1-sa/e Petri net may be described by an (unfolded) occurrence net 
whose transitions correspond to the events of the prime event strueture naturally 
associated to the 1-safe net. Analogously, the transitions of the unfolding of a co- 
safe Petri net will correspond to the events of its associated local event structure. 
Although this latter is not a prime event structure, we will extract from it notions 
of causality and conflict which will form the skeleton of the unfolding. 

New Identification of Events. The punctuation Unfolding studied in this 
section is slightly more general than History; the main idea here is that if u.a 
and u' .a describe two sequential executions and if the events in u' only differ 
from those in u by occurrences of actions that are known to be independent with 
a, then the prime intervals (u, a) and (u',a) represent the same event. 

Definition 4.1. For any local trace language C = (E,I,L) and any equiv- 
alence over Pr(£), the set of events independent with (u,a) G Pr(£) is 
CoEve^^{u,a) = {{v,b)c \ a ^ b A {v,{a,b})GlA (i;, a) (u, a)}. 

The punctuation Unfolding 7 t“ = such that each is the least 

equivalence over Pr(£) satisfying Unf; 

Unf; (u, a) G Pr(£) A (u', a) G Pr(£) A Eve^^{u) \ CoEve^^{u, a) = 

Eve^i^{u') \ CoEve^^{u, a) (u, a) (u\a) [Unfolding] 

We easily check that the equivalences do exist and form a stable punctuation; 
in particular, Unf Ind A Cjc (Def.^Hand^H thus for any local trace 

language £. The following example shows that this inclusion may be strict. 

Example 4.2. We consider here again the local trace language £i of Fig. O 
according to the punctuation Unfolding 7 t“, (e, a) (b, a) whereas for History 
and Configuration these two prime intervals are not equivalent. 

Now this new punctuation is easily proved to be stable (Def.^H so it brings 
yet another event structure semantics for co-safe Petri nets (Corollary^^Jl, this 
time with 7r“-singular local event structures; moreover, similarly to History, the 
7r“-singular local event structure associated to a Petri net JV is simply oi(JV) 
(Def. ^3and^H • Formally, we have the following result. 

Lemma 4.3. Ies.n.u is the right-adjoint of the eoreflection ft! : LES.n.u M> LTLpn- 

Construction of an Unfolded Petri Net. We consider here a co-safe Petri 
net Af = {S, T, W, Mi„) and describe how the behavior of Af may be faithfully 
represented by an unfolded net for which each transition is never fired twice 
along an execution. The basis of the construction of this unfolded net is the 
local event structure Ie5,r“ (£) = {E, C, h) associated to the local trace language 
£ which describes the executions of Af. As formally established by Hoogers, 
Kleijn and Thiagarajan, any local event structure may be “completed” into 
a prime event structure here we only recall which causality and conflict 
relations over the events are naturally associated to we note ei E C 2 if 
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Vc S (7, 62 € c ei G c and ei#e2 if Vc G (7, 62 G c ei ^ c. We observe that ^ 
is a partial order over E, called causal relation, and tl is a symmetric irreflexive 
relation, called conflict relation; moreover, eit|e2 ^ 63 eiftes, so the structure 
{E, tt) is a prime event structure It is well-known that any prime event 

structure may be represented by an occurrence net which will be use here as the 
skeleton of the unfolding of J\f. 

First, we introduce some supplementary notations. We write 6i — <: 62 if 6i ^ 
62 and 61 ^ 63 ^ 62 => 63 = 62. The immediate conflict relation is the 
symmetric binary relation over E such that 61 [1^62 if 6it|e2 and for all events 
e'l and e^: e'^ ^ ci A e^ ^ 62 A e'^tte^ (ei = e'^ A 62 = e!f). Now the 
occurrence net associated to the structure {E, U) is simply the Petri net M° = 
{S° , E,W°,M°^) such that the transitions are the events E, the places, called 
conditions, are S° = {(61,62) G E x E \ ei — ^ 62} U {{61,62} C E \ 6itt^62} U 

{(*, 61) I 61 G if A V62 G if , 62 A 61 61 = 62}, the weight function is given by 

W° : (S° X E)U (E X S°) 

(ei, 62), e' I— > 1 if e' = 62, 0 otherwise 
{ei, 62}, e' I— > 1 if e' G {ei, 62}, 0 otherwise 
(*, 6i), e' I— > 1 if e' = 6i, 0 otherwise 

e', (ei, 62) 1-^ 1 if e' = ci, 0 otherwise 

e', {61,62} 1-^ 0 
e', (*,61) 1-^ 0 

and in the initial marking M°„ each condition contains one token except for the 
conditions (ei, 62) G 5° which are initially empty. 

Example 4.4. The occurrence net Aff associated to the Petri net A/} of Fig. 
Bis depicted in Fig.B Obviously, this Petri net does not faithfully represent 
A/} because some of its behaviours are forbidden in A/}; for instance the con- 
current firing of the three transitions. That is why we will add some places to 
this occurrence net in order to restrict its behaviors and get a more faithfull 
representation. 

Now in order to restrict the behaviors of the occurrence net Af°, we simply 
add to Af° a copy of each place of A7 with the same initial marking; the connection 
between these new places and the events are given by the simple following weight 
function in accordance with the weight function W of A7: 

:(S xE)U(ExS) EM 

s, {u, a) ^ W (s, a) 

{u,a),s ^ W{a,s) 

Thus the unfolding of Af could be defined as (S'® US', if, VF°U VF“, M°„UMi„). 
However, it may be the case that some places of Af° play the same role as some 
places of Af and may be removed in order to get a simpler unfolding. Formally 
a condition s° G S° is trivial if there is a place s G S such that Ve G E, 
W°(s°, e) = W“(s, e)A W°{e, s°) = W^{e, s) and M°„(s°) = Mi„(s). Clearly, the 
behavior of the unfolding does not change by removing such trivial conditions. 
Finally, we can sum up the definition of the unfolding of Af in the following way. 
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Definition 4.5. The unfolding of the Petri net J\f is u{JV) = {S' , E, W', 
where the set of places S' consists of the places of J\f and the non-trivial con- 
ditions of Af° , the set of transitions E consists of the events of the local event 
structure £ = les^« o t{Af) and the values of the weight function W' and the 
initial marking are those of W° U and M°„ U Min respectively. 



Example 4.6. Continuing Example we observe that the unfolding of the 
Petri net J\fi of Fig. His isomorphic to Mi- This is different from the unfolding 
construction of ^3 for which it matters which tokens are used for the firing of 
c in the initial marking. This is also different from the unfolding of H which 
admits an infinite number of events and does not rely on an occurrence net. 

Main Properties of this Construction. We should stress first that the struc- 
ture of the events in the underlying occurrence net is meaningful. Clearly, two 
events in conflict never appear together in the same firing sequence and two 
events in causal relation always appear in the corresponding order. Moreover 
we establish the following correspondence between the possible independency of 
two events of the unfolding u(A/”) and their structural concurrency within the 
underlying occurrence net. 

Lemma 4.7. Two events e and e! ofu{Af) are neither in conflict nor in causal 
relation (w.r.t. the underlying occurrence net) iff the step {e, e'} appears in a 
multiset firing sequence ofu{JV). 

This lemma is the basis of a strong connection between J\f and its unfolding. 

Theorem 4.8. There is a hijection between the multiset firing sequences of Af 
and those of its unfolding. More precisely, let (p be the map from the transitions 
E of the unfolding u{M) to the transitions T of Af for which {u, t) maps to t: 

1. for any multiset firing sequence [p'f) M'^... in the unfolding u{Af), 

there exists a (unique) multiset firing sequence Min Mi... [<p{p'n)) Mn 

in Af. 

2. for any multiset firing sequence Min[pi) Mi... [p„) M„ in Af, there is a 
unique multiset firing sequence M^„ [p'f) M'^... [p'n) in u{N) such that 
Vfc e [l,n], p(pfc) =pk. 

This result guarantees that the unfolding construction offers a faithful represen- 
tation of the concurrent executions of a Petri net. This extends a similar property 
of the classical unfolding of 1-safe nets Q. However, because our study is re- 
stricted to co-safe Petri nets, the multiset firing sequences of a net and those of 
its unfolding do not admit auto-concurrency: they are all step firing sequences 
in the sense of Q. 

The reader may have observed that the construction of the unfolding might 
have been proceeded with any other punctuation; however, one can easily check 
that the unfolding of Petri net Af\ of Fig.Hw.r.t. the punctuation History tt^ 
would not satisfy the second property of the theorem above: the fact is that 
the sequence b.a would correspond to two distinct sequences: (e,b).{b,a) and 
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{e, b).{e, a) — whereas (e, a) (6, a). In fact, Axiom Unf of Def.^Jis necessary 
to obtain an unfolding for which the second part of Th.^Jholds. 

Finally, we observe that the unfolding construction is idempotent. 

Corollary 4.9. For any co-safe Petri net M , u(u(A/")) is isomorphic to u{J\f). 
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Abstract. The ambient calculus is a calculus of computation that al- 
lows active processes (mobile ambients) to move between sites. A firewall 
is said to be protective whenever it denies entry to attackers not pos- 
sessing the required passwords. We devise a polynomial time algorithm 
for rejecting proposed firewalls that are not guaranteed to be protective. 
This is based on a control flow analysis for recording what processes may 
turn up inside what other processes; in particular, we develop a syntax- 
directed system for specifying the acceptability of an analysis, we prove 
that all acceptable analyses are semantically sound, and we demonstrate 
that each process admits a least analysis. 



1 Introduction 

The ambient calculus is a calculus of computation that allows active processes 
(called mobile ambients) to move between sites; it thereby extends the notion of 
mobility found in Java (e.g. B) where only passive code may move between sites. 
The untyped calculus was introduced in Q and a type system for a polyadic vari- 
ant was presented in Q. The calculus is molded on traditional process algebras 
(such as the 7r-calculus) but rather than focusing on communication (of values, 
channels, or processes) it focuses on the movement of processes between different 
sites; the sites correspond to administrative domains and are modelled using a 
notion of ambients. We refer to Section 2 for a review of the ambient calculus. 

Since processes may evolve when moving around, it becomes harder to analyse 
what processes may turn up inside what other processes. In Section 3 we show 
how to adapt techniques from the static analysis of functional programs to de- 
velop a control flow analysis Q for the ambient calculus. This takes the form of 
a syntax-directed system for specifying when the analysis results are acceptable; 
we then prove that all acceptable analyses are semantically sound (by means of a 
subject-reduction result); Anally we demonstrate that each process not only ad- 
mits an analysis but in fact admits a least analysis (by means of a Moore-family 
result) and we discuss the existence of polynomial-time algorithms. 

Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 463-^^| 1999. 
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In Q the ambient calculus is used to model and study a firewall where only agents 
knowing the required passwords are supposed to enter; indeed, it is shown that all 
agents in a special form will in fact enter. However, it is at least as important to 
ensure that an attacker not knowing the required passwords cannot enter, since 
this would present a useful technique for screening a system against attackers. 
In Section 4 we use our analysis to present a polynomial-time procedure for 
rejecting a class of non-protective firewalls that do not ban illegal access to the 
internals of the non-protective firewall; this is based on identifying an attacker 
that is as hard to protect against as any other attacker (somewhat in the manner 
of hard problems for a given complexity class) . 

Because of space limitations we only present the analysis for the (Turing com- 
plete) core fragment of the calculus where communicaton is now allowed; how- 
ever, the control flow analysis has been designed so that it scales up to the full 
language. 



2 Mobile Ambients 

Syntax. We follow the presentation in Q; we make a syntactic distinction be- 
tween capabilities (M) and namings (N) as is also implicit in the type system 
of The syntax of processes P G Proc, capabilities M G Cap and namings 
N G Nam is given by: 



{vn^^)P 


restriction 


M : 


it 

:= in* N 


enter N 


0 


inactivity 




1 out*‘N 


exit N 


P 1 P' 


composition 




open**7V 


open N 


IP 


replication 




[P] 


ambient 


N : 


:= n 


name 


M.P 


movement 









To allow the analysis to deal with the a-conversion that is part of the semantics 
we distinguish between the name n introduced by a restriction operator (and 
that may be a-renamed) and the corresponding stable name /r G SNam (that 
cannot be a-renamed). One way to understand this distinction is to think of a 
name as an internet address (e.g. daimi . au . dk) and to think of a stable name as 
the corresponding absolute address (e.g. 130.225.16.40); clearly it is possible 
for the internet address to change (e.g. from daimi.aau.dk to daimi.au.dk) 
without a similar change in the absolute address (e.g. 130 . 225 . 16 . 40). Another 
way to understand the distinction between names and stable names is to regard 
the stable names as static representations of the names arising dynamically. 

As is customary for the Flow Logic approach to control flow analysis we have 
also placed labels P G Lab“ on ambients and labels G Lab* on transitions 
- this is merely a convenient way of indicating “program points” and is useful 
when developing the analysis. The sets of names, stable names and labels are 
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0 




{vn^)P = {v m'^){P{n <— m}) 


!0 


= 0 








if m ^ 


fn(P) (a-i 


Table 1. Structural congruence. 



left unspecified but are assumed to be non-empty; it is not essential thay they 
be mutually disjoint and we occasionally write I G Lab = Lab“ U Lab*. 

We write for the set of free names of P and similarly for M and N. The 

programs of interest are ambients in the form n* [P*] where n* ^ fn(P^). 

Example 1. Consider the following example from Q for illustrating how an agent 
crosses a firewall using the prearranged passwords k, k' and k": 

Firewall : (j/w™)w^[k®[out^w. in^k'. in^w] | open'^k'. open®k”.P] 

Agent'. k'*^[open®k.k”°[Q]] 

The program of interest is n^*\Firewall \ Agent], We use typewriter font for 
names, italics for stable names, roman for ambient labels, and numbers for tran- 
sition labels. □ 



Semantics. The semantics is given by a structural congruence relation P = Q 
and a reduction relation P Q in the manner of the 7r-calculus. The congruence 
relation of Table^is a straightforward modification of a similar table in ^ with 
the exception that we have added the side condition “if n ^ m” to the clause 
for {v )P; in our setting it will be incorrect to have no side condition 

because the association between names and stable names must be maintained 
at all times. We write P{n ^ m} for the process that is as P but with all free 
occurrences of n replaced by m. 

The reduction relation is given in Tableland is as in a pictorial represen- 
tation of the three basic rules is given in Figure^ It should be clear that the 
annotations in the syntax have no semantic consequences. We can make this 
precise as follows. Let /r, be a distinguished stable name, a distinguished am- 
bient label and a distinguished transition label. Given a process P write [PJ 
for the process where all stable names are replaced by all ambient labels by 
l^ and all transition labels by 
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n ^ 
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in‘2m. P 1 Q 
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P 1 Q 
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R 














1 n'2 
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out^^m. P 1 Q 
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- [ 


P 1 Q 




n 





1 n‘2 


open^i n. P 




Q 



Fig. 1. Pictorial representation of the basic reduction rules. 

Fact 1. P^*QA [P\ = [P'\ ^ 3Q' : P' Q' A [QJ = [Q' \ ■ 

The proof is by induction on the length of the derivation P — >* Q; for the 
induction step P — R ^ Q we proceed by induction on the shape of the 
inference of P — > Q- n 

Example 2. We have the following sequence of reduction steps for n{* [Firewall \ 
Agent]; in each step we have underlined the capability to be executed next and 
we have assumed that w ^ &(Q). 

wj* [(:^w™)w^[k^[ out^w . in^k'. in^wl | open^kb open®k”. P] | k'^ [open®k. k”°[Q]]] 

^ wj* [(:^w™)(k^[ in^k' . in^wl | w^[open^kf open®k”. P] | k^^ [open®k. k”° [Q]])] 

^ nt* [(:^w™)(w^[open^kf open®k”. P] | k^^[k®[in®w] | open®k. k”° [Q]])] 

^ n** [(:^w™)(w^[open^kf open®k”. P] | k'^[ in®w | k”°[Q]])] 

^ nl* [(:^w™)w^[open^kf open®k”. P | k^^ [k”° [Q]]]] 

^ nt* [(:^w™)w^[open®k”. P | k”°[Q]]] 

^ nl* [(z/w“)w^[P I Q]] 

The transition sequence shows that the firewall (which has the private name w) 
sends out the pilot ambient named k; since the agent knows the right passwords, 
and is in the right form, the pilot ambient can enter the agent and then guide it 
inside the firewall. □ 



P 

P 

P 



Q ^ (vn>^)P (vn>^)Q 

Q^rf[P]->rf[Q] 

Q => P I P ^ Q I P 

P = P' A 



n'l [in'^m. P \ Q] \ [R] m}^ [n'l [P | Q] | P] 

m'l [n'=^ [out'^m. P | Q] | P] ^ [P I Q] I rn}^ [P] 
open^^n. P \ rf^yO] ^ P \ Q 
P'->Q' A Q' = Q^P->Q 



Table 2. Reduction relation. 
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3 Control Flow Analysis 



Immediate Constituents of Ambients. The main aim of the analysis is to obtain 
the following information for each ambient: (i) which ambients may be imme- 
diately contained in it, and (ii) which transitions may it perform. An ambient 
will be identified by its label C G Lab“ and a transition by its associated stable 
capability m G SCap; stable capabilities are given by 

fh ::= in^ /i | out^ /i | open^ /i 

and correspond to capabilities except that names have been replaced by stable 
names. The analysis records this information in the following component: 

I G InAmb = Lab“ ^ 7^(Lab“ U SCap) 

When specifying the analysis we shall also use the “inverse” mapping : 
(Lab“ U SCap) — > ■p(Lab“) that returns the set of ambients in which the given 
ambient or transition might occur; formally z G I{C) if and only if C G 
Later we shall write I'^{1) 9 I' to mean that there exists li, - ■ ■ ,ln (for n > 1) 
such that I = l\, I' = In, and \/i < n : I{k) 9 k+i- 

Stable Names of Ambients. Each occurrence of an ambient has a stable name 
and to keep track of this information the analysis also contains the following 
component: 

H G HNam = Lab“ -> IP(SNam) 

Similarly to before we shall use the “inverse mapping” H~^ : SNam 7^(Lab“) 
that returns the set of ambients that might have the given stable name; formally 
G H{N) if and only if N G 

Naming Environment. The association between free names and their stable 
names is expressed by a naming environment: 

me G MEnv = Nam — >gn SNam 

We shall write me* for the initial naming environment for the program nl* [P*] 
of interest and dom{meif) for its finite domain. 

Example 3. Consider the following analysis information (where the initial nam- 
ing environment maps the names k, k' and k" to k, k' and k” , respectively): 



label 


I 


H 


1* 


{A,B,C} 


{} 


A 


{out^w, in^w;, open^fc', open®fc”, open®fc, A, B, C, D} 


{w} 


B 


{outvie, in^io} 


{k} 


C 


{outvie, in^w, open®fc, A, B, C, D} 


{k'} 


D 


{} 


{k"} 




468 Flemming Nielson et al. 



This shows that the ambient labelled A might perform transitions consuming any 
of the capabilities labelled 1-6 and that it might contain any of the ambients 
labelled A-D; in particular it might contain the ambient labelled C indicating 
that the agent might enter the firewall - and as shown in Example H this is 
indeed the case. □ 



3.1 The Acceptability Relation 



The acceptability of the analysis is defined by the following four predicates (de- 
fined in TableH^^nd explained below): 



(I,H) 

(/, H) \>rae M : M 
(I,H) \^meN:N 
(/, H) fh 



for checking a process P G Proc; 

for translating a capability M G Cap into a 
set M G P(SCap) of stable capabilities; 

for decoding a naming N G Nam into a set 
N G P(SNam) of stable names; 

for checking a stable capability rh G SCap. 



The first part of TableHgives a simple syntax-directed definition of what it means 
for an analysis result (/, H) to be acceptable for the process P. The predicate is 
defined relative to the current naming environment me and the current label I 
of the enclosing ambient. The naming environment is updated whenever we pass 
through a restriction operator and the label is updated whenever we pass inside 
a new ambient. Note that the analysis cannot distinguish between whether a 
process occurs only once or many times: IP and P are analysed in the same way 
(as are P \ P and P). 

The clause for ambients N^‘ [P] first checks the subprocess P using the appropri- 
ate naming environment and label. It then demands that the label of the ambient 
is recorded as being inside the current label. Finally, it demands that the stable 
name of the ambient is recorded as being a name of the ambient: Intuitively, N 
is the singleton {me(n)} when N is n; this is made precise by the third part 
of the table. As in Prolog, any free identifier on the righthandsides (like N) is 
assumed to be existentially quantified. 

The clause for movement M. P first checks the subprocess P using the appropri- 
ate naming environment and label. It then translates the capability M into the 
set of stable capabilities M by replacing names with stable names: Intuitively 
M is the singleton {in^ me(n)} when M is in^ n and similarly for the other capa- 
bilities; this is made precise by the second part of the table. Finally, each stable 
capability is analysed in turn as explained below. 

The last part of Table Q shows how to check stable capabilities against the 
analysis result (/, H). FigureHillustrates these clauses pictorially; the similarity 
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open* N : M 


iff 


(I,H) 


= me N 


: N 
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M n {open* fj, \ jj, G N} 


(I,H) 


||=me 


n : 
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iff 


N D { 


me{n)} 








(I,H) 


M in 






iff 


■ 

in ^ e 


I{1) A 









vr e /-i(in'V) : vr' e r\r) ■. 

vr" G 7(r') n ■. r g i{r") 

(I,H) |=* out* fi iff out* fi€ I (1) A 

vr G /-i(out*V) : vr' G 7-i(r) n 77-i(/r) : 
vr" G 7-1 (r') : r g 7(r") 

(7,77) |=* open* ^ iff open* ^ G I{1) A 

vr G 7-i(open*V) : VZ“' G 7(r) n : 

VZ' G 7(Z“') : I' G 7(Z“) 

Table 3. Control flow analysis. 



between Figures H and J stresses the systematic way in which a control flow 
analysis may be developed from a formal semantics. 

it 

The clause for in ^ first ensures that the stable capability is properly recorded 
as part of the current ambient 1. Then it ensures that all contexts r in which 
the capability could occur (and this clearly includes 1) are properly recorded as 
being possible subambients of all sibling ambients having the stable name 
This involves quantifying over all possible parent ambients and using the 
component H to obtain the stable name of 

The clause for out* fi follows a similar pattern. First it ensures that the stable 
capability is recorded as part of the current ambient 1. Next it ensures that all 
contexts in which the capability could occur (and again this includes 1) are 
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Fig. 2. Pictorial representation of the analysis of stable capabilities. 

properly recorded as being possible ambients in all the possible grand parents 
1°“ provided that the parent 1°“ has the stable name /i. 

For the stable capability open^ /i we once again start by ensuring that it is 
properly recorded as part of the current ambient 1. Then we consider all contexts 
l°‘ in which the capability could occur (and once more this includes 1) and find 
all subambients having the stable name these are opened by ensuring that 
whatever is included in the subambient also occurs in the parent ambient 1°: 

It is crucial to observe that we need to consult all possible contexts 1°“ in which 
the capability could occur and not just the obvious candidate 1. This is because, 
in order to establish semantic soundness, the analysis has to take into account 
that the current ambient might be dissolved by an open capability. (This fine 
point was the main difficulty that needed to be overcome when developing the 
analysis.) 



Example 4- Let us check the condition {I,H) k®[out^w. in^k'. in^w] that 

arises when checking that the analysis information (/, H) of ExampleHcorrectly 
validates the program v}* [Firewall \ Agent] of Example Q here the naming 
environment me maps k, k', k" and w to fc, k' , k” and w, respectively. First 
we decide to let N be {k}. We then need to check that (I,H) |^me k : {k} 
(which follows from the choice of me), that {fc} C H(B) (which follows from 
Example^, that B G /(A) (which once more follows from ExampleH and that 
(I,H) out^w. in^k'. in^w (see below). 

To check that (/, H) g out^w. in^k'. in^w we first decide to let M be {out^w}. 
We then need to check that (/, H) \>me out^w : {out^w} (which follows from 
(I,H) \\=me w : {w}), that (I,H) out^w (see below) and that (I,H) 
in^k'. in^w (which amounts to twice repeating the checking illustrated for out^w). 
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Finally, let us check that (/, H) out^w. First we check that out^w S /(B) (us- 
ing ExampleH- For the second condition we have 1°“ G = {A, B, C} 

and for each of the choices for we have G = {A, C}n{A} = 

{A} so the parent ambient 1°“ of 1°“ will always be A. The grand parent of 1°“ is 
1°’ G I~^{A) = {A, C} so the second condition amounts to checking that all of 
A, B and C are elements of both /(A) and /(C) and clearly this is the case. □ 



3.2 Properties of the Analysis 

In the terminology of data flow analysis Q the above analysis is flow-insensitive 
since we ignore the order in which the capabilities occur; also it is context- 
insensitive (or monovariant) since a capability is analysed in the same way for 
all contexts in which it occurs. 

Semantic Correctness. Having specified what it means for an analysis result 
(/, H) to be acceptable the next step is to show that the notion of acceptability 
is semantically meaningful. We begin by establishing some auxiliary properties. 

Fact 2. The analysis enjoys the following monotonicity properties: 

(i) If (/, H) P and I{h) C I{h) then (/, H) P- 

(li) If (/, H) \>me M : Ml and Mi C M2 then (/, H) \>me M : M2- 

(in) If (/, H) ||=^e N : W and W C N2 then (/, H) N : N2. 

(iv) If {I,H) rh and/(^i) C 1(12) then {I,H) fh. 

The proofs of (ii), (Hi) and (iv) are immediate; the proof of (i) is by structural 
induction. □ 

To express the next fact we shall write mei =p me2 to mean that mei and me2 
are equal on the free names of P and similarly for M and N . 

Fact 3. The analysis only depends on the stable free names: 

(i) If mei =p me2 and (/,//) hLei P then (/,//) P- 

(a) If mei =M rnc2 and {I,H) |>mei M : M then {I,H) \>me2 ^ ■ M. 

(Hi) If mei =n rne2 and (/, H) \\=mei N : N then (/, H) \^me2 ^ 

The proofs of (Hi) and then (ii) are immediate; the proof of is by structural 
induction. □ 

Lemma 1. If P = Q then (/, H) P if and only if (/, H) Q. 

The proof is by induction on the proof oi P = Q and relies on Fact^ □ 

We shall follow the approach from type systems and express the semantic cor- 
rectness result as a Subject Reduction Result. 



Theorem 1. If (/, H) \=l^e P and P ^ Q then (/, H) Q. 
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The proof is by induction on the transition P ^ Q and relies on Lemma J and 

FactH □ 

As a consequence, if (/, H) is an acceptable analysis result for the program 
n\* [P*] of interest (with respect to the initial naming environment me*) then it 
will continue being so for all the derivatives of the program. 

Existence of Analysis Results. So far we have only shown how to check that a 
given pair (/, H) is indeed an acceptable analysis result; we have not studied 
(i) whether or not acceptable analysis results always exist, and if they do, (ii) 
whether or not there always is a least analysis result. 

To obtain these results we shall show that the set of acceptable analysis results 
constitutes a Moore family (or has a model intersection property): 

A subset y of a complete lattice (L, C) is a Moore family whenever 
Y' CY implies that UY' G Y. 

By taking = 0 we see that a Moore family Y cannot be empty and by taking 
Y' = Y we see that it always contains a least element; this will be essential for 
answering (i) and (ii) in the affirmative. 

In our setting the complete lattice of interest is the set InAmb x HNam of 
pairs of mappings (/, H) and the ordering is the pointwise extension of the 
subset ordering. We then have: 

Theorem 2. {(/, H) \ (/, H) P} is a Moore family for all /, me and P. 
The proof shows that all of the sets 

{{I,H,N) I {I,H) |^^,iV:iV} 

{{I,H) I (7,P) m}, 

{{I,H,M) I (I,H) \>meM:M} 

are Moore families and then proceeds by structural induction. □ 

By restricting the attention to a given program n\* [P*] of size s one can devise an 
O(s^) algorithm for computing the least solution. Roughly the idea is as follows 
Q. There are 0(s) places where conditions needs to be checked. Each condition 
can have length O(s^) because there are at most three nested quantifiers each 
ranging over 0{s) entities. Hence at most O(s^) basic conditions need to be 
checked. Since the height of each set of values is 0{s) this can be implemented 
in 0(s®) basic steps using standard worklist algorithms. (We conjecture that a 
more sophisticated implementation will be able to achieve 0(s^).) 



4 Validating Firewalls 



In the examples we have studied a notion of firewall given by its private name 
w and the passwords k, k' and k" used for entering it. One aspect of being a 
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firewall is that agents in the approved form must be allowed to enter. For the 
firewall proposed in Example J the approved form is k'^[open®k. k"^[Q]] and 
in Example^we showed that agents in this form can indeed enter the firewall: 
Firewall \ Agent | Q] (assuming that w ^ fc(Q))- As in Q 

this can be strengthened to establish that Firewall \ Agent is observationally 
equivalent to | Q] (assuming that w ^ &(Q))- 

Another aspect of being a firewall, not dealt with in is to ensure that processes 
not knowing the right passwords cannot enter. Due to the power of the ambient 
calculus this is not as trivial as it might appear at first sight. As an example, a 
process that does not initially know the passwords might nonetheless learn them 
by other means. As another example, the firewall might contain a trapdoor 
through which processes might be able to enter (see Example ^below). 

We define a process U to be ignorant whenever in{U) n {k, k', k"} = 0. We then 
define a proposed firewall F to be protective whenever the semantics of Section 
2 prevents it from allowing any ignorant process to enter. 



Example 5. Consider the proposed firewall 

Firewall' : (:^w™)w^[k®[out^w. in^k'. in®w] | open^k'. open®k”.P 
I t®[ouFw. in®w. open®q] | open^'^t] 

that additionally contains a trapdoor t. It is easy to check that 

Firewall' \ Agent — \ P \ Q] 

using Agent of Example J (assuming that w ^ &(Q))- But now the ignorant 
process q^[in^^t. Q] can also enter as is shown by 

Firewall' \ q^[in^^t. Q] — s-* (i^w“’)w^[- ■ ■ \ P \ Q] 

(assuming that w ^ &(Q)) unlike what was intended. This means that Firewall' 
is not a protective firewall because it can be entered by a process not knowing 
the right passwords. □ 

The control flow analysis can be used to devise a test for whether or not a 
proposed firewall F is protective; the test is displayed in Table and will be 
explained below. Since the control flow analysis is approximate also the test for 
protectiveness will be approximate; however, we shall ensure that whenever the 
test is passed then no ignorant processes can enter. We believe this to be typical 
of applications where software developed by subcontractors is validated before 
being embedded in the software system under construction. 

Let us fix the distinct stable names w, fc, k', k" , pLo, and /r*, the distinct labels 
and l\, and the distinct names Uo and n^. Thanks to Fact^we may without 
loss of generality assume that a proposed firewall F = (i^w™)w^[F'] does not 
contain any of these distinguished symbols in the subprocess [F'] . 
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INPUT: a proposed firewall F = (uw™)w"^[F’'] 

without distinguished symbols in 

OUTPUT: “accept” or “reject” 

METHOD: construct F (see the text) 

construct meo = me*&(F’, ^o) 
construct T (see the text) 

find the least (7, 77) such that (7, 77) |=keo F \ T 
if 31 ■. G ^'*'(0 A ui G H{1) then “reject” else “accept” 

Table 4. Testing for protectiveness. 



Given a process Q we shall write Q for the process where all stable names are 
replaced by Ho, all ambient labels by and all transition labels by Write B 
for the process 



in I out | open | in »n,o 



/t I /t 

out «no I open «no 



and define T to be 

B I n5[ B I n^“[0] ] 

and note that this defines an ignorant process with T = T. 

Define the naming environment me* by me*(k) = k, me*(k') = k' , me*(k") = 
fc", me* (no) = ^o, and mei,{n<^) = ^o- For a naming environment me, a set X 
of names and a stable name ^ define the naming environment meEz{X^ by 

{ me{n) if n S dom{me) 

/i if n G X \ dom{me) 

undefined if n ^ X U dom{me) 

and note that (me&(J*f, /i))(n) = me{n) whenever me{n) is defined. We shall 
allow to write mek{P, y) for me&(&(P), ^). 

Given a proposed firewall F = (uw“’)w^[F'] we shall write F for the process 
(uw“’)w^[F"] where F” is like F' except that all stable names have been replaced 
by fio- We have now defined all the notation used in the test displayed in Table 
Q It operates on a proposed firewall F and outputs “accept” or “reject”. It is 
clearly deterministic and given that the least (7, 77) can be found in polynomial 
time it operates in polynomial time itself (in the size of F) . 

The correctness of the test hinges on the following key result; it shows that, from 
the point of view of the analysis, it is as hard to protect a firewall F against the 
process T as it is to protect the firewall F against any other ignorant process U: 



Lemma 2. Let F = (uw’")w^[F'] be a proposed firewall as demanded in Table 
Band let (7, 77) be as in TableB If U is an ignorant process then 
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where me' = (me*&(F, ^o))&(C/, /to)- 



Proof. Write meo = me*&(F, ^o) as in Tabled By construction of (I,H) we 
have (/, H) F \ T and using FactHwe get (/, FI) Hme' ^ I ^ from which 

(/, FI) F and (/, 77) ^J)jg/ T follows. By expansion of the latter we get 

(7,77) \ee^ (I,H) out'o^, (7,77) open'^^ (1) 



for all I G l^} and ^ G {/io, ^o}; we also obtain 

l^Gl{L), I^GI{1-), ^I.GH{1-), ^i.GH{l-) (2) 

To conclude that (7, 77) F | 77 we need to prove that (7, 77) ^J)jg/ 77 holds. 
Since 77 is ignorant this follows by Fact Q from the following auxiliary result 
holding for arbitrary processes R: 

(I,H) 

for all I, me satisfying I G {7*, 7“} A Vn G fa(7?) : me{n) G 



The proof of the auxiliary result is by structural induction on R and most of the 
cases are immediate so let us only consider the two interesting ones. 



The case R = 7V^« [7?o]: That (7, 77) \=me Ro follows from the induction hypoth- 
esis; that 7“ G 7(7) follows from taking TV = we have TV C 77(7“) 

from B and (7, 77) ||=me TV : TV is immediate. 



The case R = M. Rq: That (7, 77) Ro follows from the induction hypothesis; 
taking M = {in^«^o, out^«^o, open^«^o, out^«^o, open^o^o} we have Vm G 

M : (7, 77) m from ^ and (7, 77) \>me M : M is immediate. □ 



When F passes the test and 77 is an ignorant process we want to show that 
no subambient of 77 ever passes inside w. Informally, this will take the form of 
assuming that F \ 77 — *■* R and guaranteeing that R contains no subambient 
wb [• .. ub [•••]• • •] where u comes from 77. Formalising this is somewhat tricky 
and we shall therefore avail ourselves of Fact | that allows us to arrange the 
labelling to suit our needs. Indeed, if F | 77 R then F | 77 R' for some 
R' such that [R\ = [F'J . 

Theorem 3. If F passes the test of Tableland 77 is an ignorant process and if 
F I 77 R then R contains no subterm nf [■ ■ -nf [■■■]■ ■ •] where rii has stable 
name w and 7^ is 7“. 

Proof. Setting me' = (me*&(F, ^o))&(77, fio) and letting (7, H) be as in Table 
B it follows from Lemmas that {I, FI) ^^g/ F | 77. By Theorem H we also 
have (7, H) )=^g/ R. Suppose for the sake of contradiction that R does contain 
nf [• ■■ nf [•■■]■ ■ •] where ni has stable name w and is 7“. Then it follows from 
(I,H) R that 7“ G 7+(7“) A w G H(lf) showing that the test could not 

have been passed. □ 
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In summary, we have succeeded in using the control flow analysis to devise 
a polynomial time algorithm for ensuring that a proposed firewall is indeed 
protective; a web-based implementation is accessible via the Flow Logic web- 
page http : //www. daimi . au.dk/~fn/FlowLogic .html. 

Example 6. To test Firewall from ExampleHand Firewall' from Example^we 
need to be more precise about the subprocess P; in our tests we have used 

!p[in p I out p I open p | p[0]] 

(omitting labels) as an example of an unrestricted internal process. Then Firewall 
passes the test because F[~^{w) = {A} and ^ l^ but Firewall' fails the 

test because Ff~^{w) = {A} and 9 l^. □ 



5 Conclusion 

It is well known that static techniques are needed for determining whether or not 
programs always evaluate in a permissible manner. Type systems have already 
been extensively used to study the properties of web-based languages and related 
calculi (e.g. but more “traditional” approaches B to static analysis have 
much to offer as well. In this paper we developed a control flow analysis for the 
ambient calculus building on recent developments for the pi-calculus 

The interplay between type systems and control flow analyses is not yet fully 
understood. While both type systems and control flow analyses can be proved 
semantically sound using a subject-reduction result, it would seem that only 
approaches based on control flow analyses admit least analyses for all processes. 
Indeed, often type systems (e.g. H) lack the corresponding notion of principal 
type, thereby making them harder to use in practice as there may be exponen- 
tially many types to consider before any conclusions can be drawn. In a subse- 
quent paper we hope to use state-of-the-art techniques from data flow analysis 
to present an even stronger analysis than the control flow analysis developed 
here. 

More importantly we demonstrated how a careful exploitation of the detailed 
operation of the control flow analysis allowed us to construct an attacker that was 
as hard to protect against as any other attacker; this is somewhat reminiscent of 
the identification of hard problems in a given complexity class. This allowed us 
to predict the operation of the firewall in conjunction with all ignorant attackers 
based on its operation in conjunction with the hard attacker; if it successfully 
protects against the hard attacker it will also protect against all other ignorant 
attackers. 

This is a novel approach to the validation of software systems and we expect it to 
scale up to other calculi. Indeed, the basic machinery of the control flow analysis 
has already been developed for a number of calculi. Furhermore, by considering 
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more powerful analyses expressed in the form of Flow Logics it is likely that one 
can reduce the gap between processes that know some of the passwords (hence 
are not ignorant) but still do not display them in the approved form. 
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Abstract. This paper introduces a generic and uniform approach to in- 
tegrate different design languages for distributed systems in verification 
tools. It is based on Meseguer’s Rewriting Logic, hence transitions be- 
tween the states of the respective system are modeled as (conditional) 
term rewriting steps modulo an equational theory. We argue that, for 
reasons of efficiency, it is intractable to admit arbitrary equations, and 
propose to employ rewriting modulo associativity and commutativity 
instead, using oriented versions of the equations. Furthermore the ques- 
tion is raised under which conditions this implementational restriction is 
complete. To this aim we define a coherence property which guarantees 
that every transition which is possible in the (fully equational) semantics 
can also be computed using the oriented equations, and we show that 
this property can be verified by testing the joinability of finitely many 
conditional critical pairs between transition rules and oriented equations. 



1 Introduction 

Because of the inherent complexity of distributed systems, tools for supporting 
their development become more and more indispensable. During the last years 
several prototypes have been developed, e.g. the Edinburgh Concurrency Work- 
bench (see H), the Concurrency Factory (O); Spin (D), Truth (Q), and the 
symbolic model checker SMV ( 13 )’ Most of the tools are tailored for a specific 
syntactic and semantic setting, such as CCS with transition system semantics 
and p-calculus model checking. 

In order to ease the task of changing the design language accepted by the 
Concurrency Workbench of North Carolina (CWB-NC; ^3), the Process Alge- 
bra Compiler (PAC-NC; |3) been developed. Given the description of the 
syntax and operational semantics of a design language like CCS, it generates 
ML source code implementing a frontend which allows the CWB-NC to analyze 
systems specified in this language. However, since the semantics is specified in 
terms of structural operational rules, the semantic scope of this tool is restricted 
to (labeled) transition systems. 



Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 478-^^| 1999. 
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We want to add a further degree of freedom by allowing also the semantic 
domain of the design language to be specified. This goal can be achieved by em- 
ploying Meseguer’s Rewriting Logic (cf. This approach aims at a separate 
description of the static and of the dynamic aspects of a distributed system. 
More exactly, it distinguishes the laws describing the structure of the states of 
the system from the rules which specify its possible transitions. The two aspects 
are respectively formalized as a set of equations E and as a (conditional) rewrite 
system R. Both structures operate on states, represented as (equivalence classes 
of) if-terms where E is the signature of the design language under considera- 
tion. Since a single transition may comprise several independent rewriting steps, 
concurrent behavior can explicitly be modeled. 

Rewriting Logic has successfully been applied to specify various languages 
and semantic domains; an overview can be found in Jj_. Among others, Viry 
gives very natural specifications of CCS (see ^3) and of the 7r-calculus (^9). 
However, since (conditional) term rewriting modulo arbitrary equational theo- 
ries is generally too complex or even undecidable, it is hard to implement this 
approach directly. Instead, following the ideas of Viry in propose to 

decompose E into a set of directed equations ER and into a set AC expressing 
associativity and commutativity of certain binary operators in E. If ER is ter- 
minating modulo AC, then rewriting by R modulo E can be implemented by a 
combination of normalizing by ER and rewriting by R, both modulo AC . 

Since both ER and AC are contained in E, this approach is obviously sound, 
that is, a transition computed by the implementation is also possible in the (fully 
equational) semantics. However, the reverse implication, i.e. the completeness, 
does not always hold. In this paper we present sufficient conditions under which 
this property can be guaranteed. We show that the language specification has 
to match certain coherence properties which can be tested by inspecting a finite 
set of conditional critical pairs between rules of R and ER. 

The remainder of this paper is organized as follows. In Sect.H"'^® collect the 
fundamental definitions and results dealing with rewriting. Sect. H presents our 
specification formalism and its implementation, whose completeness properties 
are investigated in Sect.^ Finally, Sect. Hconcludes with some remarks. 



2 Preliminaries 

2.1 Abstract Reduction Systems 

A reduction system is a pair (A, — !•) where A is a set and — > C A x A is a binary 
relation on A. The symmetric, the transitive, the reflexive-transitive closure and 
the inverse of — > is denoted by < — >, — — >*, and < — , respectively. An element 
a G A is called — > -reducible if there exists b G A such that a — >6, otherwise 
— > -irreducible. If a — b, then b is called a — ^-successor of a. An irreducible 
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successor of a is called a — > -normal form of a; this is indicated by a — >|5. The 
relation — > is called confluent if every pair of successors of some element of 
A possesses a common successor. It is called terminating if there is no infinite 
descending chain of the form oq — > oi — > .... 

It is well-known that in a confluent reduction system normal forms are unique 
if they exist. In particular, in a convergent (i.e., confluent and terminating) 
reduction system every element possesses a unique normal form. 

2.2 Term Rewriting Systems 

A signature A is a finite set of symbols, called operators, in which with every 
operator a natural number is associated, called its rank. For every n > 0, 
is the set of operators of rank n. We write to indicate that / € Let X 
be an additional set of symbols, called variables. The set of X-terms over X is 
denoted by Ts{X). For every t € Ts{X), Posit) C {1,2,...}* and X{t) C X 
are the set of all positions and the set of all variables contained in t, respectively. 
If every variable occurs at most once in t, then t is called linear. In particular, 
it is called ground if A(f) = 0. Every position w € Pos{t) uniquely identifies 
a subterm of t, denoted by t\w, where t\s = t. The tree t[w ^ s] G Ts{X) is 
obtained from t by replacing the subtree at w G Posit) by the tree s G T^iX). A 
substitution is a mapping a : X ^ T^iX); we identify it with its homomorphic 
extension to (tuples of) terms and denote the set of all substitutions by Sub. 

A term rewriting system (TRS) is a set of rules R C TsiX)"^, each rep- 
resented as ^ — > r, where I ^ X and A(r) C A(l). As usual, the rewrite re- 
lation induced hy R, C T^iX)'^, is the smallest relation which comprises 
R and which is closed under arbitrary substitutions and contexts: for every 
s,t G TsiX), s — > t iff there exists I ^ r G R, w G Pos(s), and a G Sub such 
that s|uj = Ic and t = s[w ^ ra]. Here, la is called an R-redex of s. 



2.3 Term Rewriting Modulo Equational Theories 

For a set E of equations, each of the form u = v, the same notations as above are 
used where usually the symmetric relation < — ■ > is considered. Given t G T^iX), 
[t]E denotes the congruence class of t modulo E, that is, [t]E = U G W) I 
s^* t}. 

R S 

For any relations — > and — > on T^iX), let 



where juxtaposition denotes the composition of relations. In particular, when 
is the replacement relation < > induced by a set E of equations, we obtain 
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the notion of term rewriting modulo E: for any s,t G Ts{X), 

[s]E-^[t]E iff iff 

If > is confluent (terminating, convergent), 
confluent (terminating, convergent) modulo E. 

3 Rewriting Logic 

In this section we give the syntax and semantics of the rewriting framework 
which we use to specify concurrent systems. It is essentially based on Meseguer’s 
Rewriting Logic, as presented in Q, which exploits the observation that sev- 
eral models for concurrency have the notion of state and transition in common. 
However, they differ in their distributed structure (e.g. interleaving vs. true con- 
currency) . 

Rewriting Logic is intended to serve as a unifying mathematical model and 
uses notions from rewrite systems over equational theories. It aims at a separate 
description of the static and of the dynamic aspects of a distributed system. 
More exactly, it distinguishes the laws describing the structure of the states of 
the system from the rules which specify its possible transitions. The two aspects 
are respectively formalized as a set of equations E and as a (conditional) TRS 
R. Both structures operate on states, represented as (equivalence classes of) E- 
terms where E is the signature of the design language under consideration. Since 
a single transition may comprise several independent rewriting steps, concurrent 
behavior can explicitly be modeled. 

Our aim is to use this approach as the formal basis of our compiler gen- 
erator which, given the definition of a design language, automatically derives 
corresponding parsing and semantic functions which can be used as a frontend 
for verification tools such as Truth (| 3 )' However, since (conditional) term 
rewriting modulo arbitrary equational theories is generally too complex or even 
undecidable, we decompose E into a set of directed equations ER (in other 
words, a TRS) and into a set AC expressing associativity and commutativity of 
certain binary operators in E. If ER is terminating modulo AC , then rewriting 
by R modulo E can be implemented by a combination of normalizing by ER and 
rewriting by R, both modulo AC . We will see later under which assumptions 
this combination behaves as expected. 

3.1 Syntax 

Extending the notion of a rewrite theory in Rewriting Logic (^Q), we define the 
syntax of our specification formalism as follows. 



E ^ Ft E ^ , 

S< ^ ^ t. 

then R is respectively said to be 
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Definition 1. An oriented rewrite theory (ORT for short) is a quadruple T = 
{S, AC , ER, R) where 

— S is a signature with Sac Q being the set of AC-symbols, 

— AC = {x+ {y + z) = {x + y) + z \ + G Sac} C{x + y = y + x\ + G Eac}, 

— ER C Ts{XY is a finite TRS convergent modulo AC, and 

— R C is a finite set of (conditional) transition rules, each repre- 

sented as where 

/— > r 

• l(fX, 

• I is linear and > -irreducible, 

• X (ci) C X (1) for every z G { 1 , . . . , k}, and 

. A(r)C A( 0 uUtiA(c'). 

Thus we have two kinds of rules: rules in ER are always given an equational 
interpretation, that is, the oriented rewrite theory defines equivalence classes 
modulo AC U ER. The convergence of ER is required to provide unique normal 
forms. In contrast, rules in R describe transitions between states of the system 
under consideration. Here, the conditions accommodate for the fact that the 
behavior of a complex system may depend on the behavior of its components. 

Our definition of an ORT differs from the one in Q with regard to the 
following aspects: 

— Viry does not take conditions in the transition rules into account, which is 
crucial for many applications. 

— We do not necessarily assume the transition relation induced by an ORT to 
be congruent. This will be justified later. 

In the following example we apply our formalism to the well-known CCS 
process algebra, the Calculus of Communicating Systems presented in where 
we consider only the finite part. The exposition is inspired by the approach 
described in In particular, the additional binary operator {.}. is used to 
simulate the (action) labels of the transition steps, which are not provided in 
the formal definition of the transition rules. 

Example 2. The ORT T = {E, AC , ER, R) is given by the following components, 
using the set X = {a, x, x' , y, y' , z} of variables: 

— r = {ni|(°\ .( 2 ), + 0 ), ||(2)^-(1)^ ^(0)^ I }(2)| u A, where A = {a(°\b(o\ . . . } is 
a set of actions (restrictions and relabelings are omitted for simplification), 

— XaC = { + , III: 

— ER = {z + nil — > z, z \\ nil — > z, 

z + z — > z, a—^ a}, and 
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X — > {a}x' 

a.x—^ {a}x^ x + y — > {a}x'^ 

x—^{a}x' x—^{a}x',y — > {alyH 

X II y-^ II yY X II y-^ {t}{x' || y') } ' 

Since the equations in and ER identify certain states, the state space 
of the resulting system as well as the number of rewrite rules is reduced. For 
example, the symmetric counterparts of the “+” and of the first “||” rule in R 
are not required above because Sac = {+j II }• 

3.2 Semantics 

The (operational) semantics of ORTs expresses that a concurrent system whose 
current state is represented by the term s (or some equivalent thereof) can evolve 
to the state t provided that there exists a transition rule whose left-hand side 
matches s modulo AC and ER and whose conditions are fulfilled. This intuitive 
notion is formally described as follows where T = {E, AC, ER, R) denotes an 
arbitrary ORT. 

Definition 3. The semantic transition relation of T, ^ = UneN ^ 

— ^ C Ts{X)'^ for every n G is inductively given by 

0 

C F F 

{(s, t) I ex. G R,a G Sub s.t. s< la, ra< t, 

I — > r 

and ca — ^ c' a for every c — > c' G C} 

where E = AC ER, and where n G N is called the depth of the transition. 

Note that the transition relation induced by an ORT is closed under substi- 
tutions, like in the (conditional) TRS case. However, in contrast to the original 
definition in it is not closed under contexts since the left-hand side I of 
the rule has to be matched against the whole term s. In other words, its sym- 
metric, reflexive, and transitive closure is not necessarily a congruence relation. 
Otherwise, in the CCS example above a transition of the form 

0.6. nil — > {6}o.nil 

would be possible which should clearly be forbidden. 

However, if the congruence property is desired then it can be achieved by 
adding an appropriate rule for every operator. For example, the congruence 
with respect to an operator / G can be expressed by the rule 

Xi > yi , . . . , Xn ^ Un 

f{xi, ... ,Xn)-^ f{yi, ■ ■ ■ ,yn)' 
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3.3 Implementation 

As explained above, the transition relation is to be implemented by exploiting 
the decomposition of E into AC and ER: before applying a rule from R, the 
current term is transformed into >-normal form modulo AC . 

Definition 4. The implementational transition relation o/T, — > = UneN — ^ 
with C Ts{XY for every n G is inductively given hy 



— = {(s,t) s > -irreducible, ex. G R,a G Sub s.t. 

I — > r 

AC ER/AC., J 

s < > la, ra — — ^t, and 



ca 



ER/AC , I ER/AC 



c'a for every c— > c' G C}. 



Note that 



relates 



ER/AC 



-normal forms only. 

ci-^ c'l, . 



If, in addition to Definition J every rule 



5 Cfc ■ 



I- 



G R satis- 



fies the following requirements, then the implementational transition relation is 
decidable: for every i G {1, . . . ,k}, 



(i) Ci is a proper subterm of I, i.e., there exists p G Pos{l)\{e} such that l\p = ci, 
and 

(ii) no ER-rule is applicable to any instance of a non-variable subterm of c' 

(modulo AC), i.e., for every g d G ER and every p G Pos(c') with 

AC 

c'lp ^ X, there exists no cr G Sub such that {c)\p)a< ga. (In Sect.^we 

will see that this property is decidable.) 



Under these assumptions the normalizing reductions in Definition^ starting in 

ca and in da can obviously be omitted since both terms are ^-irreducible. 

Hence it is possible to compute the set of all direct — s— successors of a given term 
s G Ts{X) in ^9 > -normal form using the following informal algorithm. For 



every rule 



C 



G R whose left-hand side I matches s modulo AC (using the 



substitution a G Sub, i.e., s 



AC 



la), every condition c- 



d G C has to be 



verified. This is done by recursively computing every dG Ts{X) with ca^^ d. 
and by extending a such that da matches d modulo AU. If this is possible for 



every condition, then t = ra is a, direct -^-successor of s. 

Note that our CCS specification (see Example^ satisfies both requirements. 
Property (i) above is essential to guarantee the termination of the recursive 
evaluation of the conditions. It would be violated if we added the CCS rule 
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which describes the “unwinding” of fixpoints. 

Condition (ii) prevents problems which arise from the fact that irreducible 
terms may become reducible under certain substitutions. The following example 
illustrates this situation. 

Examples. Let T = (E,AC,ER,R) be given by if = 

= fb,ER = {fib, c) b}, and i? = I . 

According to Definition H the term s = f{a,b) possesses the direct — 
successor t = c: under the substitution a = [x/a, y/b, z/c], we have s = f(x, y)a, 

xa = a f{b,c) b (and hence xa b), f{y,z)a = f{b,c) 6, and 
za = c = t. 

On the other hand, the above algorithm would proceed as follows. 

(i) The left-hand side f{x,y) is matched against s = f{a,b), using the substi- 
tution T = [x/a, y/b]. 

(ii) As above, the recursive evaluation of the condition’s left-hand side {xt = 

a-^ /(5, c) b) yields b. 

(iii) However, the instantiated right-hand side f{y, z)t = f{b, z) is -^-irre- 
ducible. Thus, the validity of the condition x — > /(y, z) can only be shown 
by “guessing” the substitution [z/c], which is of course impossible. Clearly, 
requirement (ii) above disables such situations. 

However, for the remainder of the paper the above properties are not required. 
The following observation can easily be proved using induction on n and 
exploiting the fact that c < — > *. 



Lemma 6. Ear every n G N, 



crs 

C 



(i) - 

(ii) C and 

(ill) — ^ C — 24 . 



In particular, part (iii) of this lemma yields the fact that the implementa- 

X* . . . . 

tional relation — > is sound with respect to the semantic relation — >: 

Corollary 7. Eor every s,t G Ts{X), s JL-» t implies s-^ t. 



4 Completeness of the Implementation 

Now we will consider completeness, i.e., we have to discuss the question whether 
every transition which is possible in the (fully equational) semantics can also be 
computed using the oriented equations. 



486 



Thomas Noll 



4.1 Level Coherence 



The following definition presents a sufficient criterion. It expresses that the choice 
of the ^9 > -normal form must not restrict the potential for transitions. Note 
that similar properties have been investigated in the setting of term rewriting 
modulo equational theories (cf. ^). 



Definition 8. T is level-coherent ijf, for ev- 
ery n G N and every (s, t) G — there exists 
u G Ts{X) such that s _5i4 ^ 

t ER/AC^ ^^ This property is illustrated by the 
diagram on the right-hand side. 




Obviously the property of level coherence implies the completeness of 
with respect to — >. 






Corollary 9. If T is level-coherent, then for every {s,t) G 
u G Ts{X) such that s ^ t 



there exists 



Note that level coherence is generally not necessary for the completeness of 

a— > cl 
a— > c 5— > Cj 

ER = {a— + 5}, then it is impossible to close the following “peak” by means of 



— > with respect to — >. If we have, for example, R — 



and 



a Tl-step: c< 
applied: 



a ER/AC^ b^ Instead, the proper conditional rule — 



■ must be 



a 




In principle such situations could be taken into account by introducing a 
more general notion of coherence, abstracting from the level index n, which 
would complicate many of the subsequent definitions and theorems. However, 
with the applications we have in mind it suffices to consider level coherence 
since normally the TRS ER is “simplifying” ; that is, it reduces the depth of the 
reduction. This holds e.g. for the CCS specification in Example^ 
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4.2 Conditional Critical Pairs 

We will now give a necessary and sufficient criterion which guarantees the level 
coherence of an ORT and, thus, the completeness of the implementation. Note 
that Definition H potentially describes infinitely many critical situations since 
at the root position arbitrary terms s are admitted. However we observe the 
following possibilities for simplifications, leading to a finite collection of critical 
pairs to be investigated: 

— Since reductions at non-overlapping positions of the start term are indepen- 
dent (see the proof of Theorem only proper matchings between rules 
of R and ER have to be considered. (This is comparable to the confluence 
analysis of ordinary TRS.) 

— Since rules in R can only be applied at the root position, only occurrences 
of ER-redexes in left-hand sides of i?-rules have to be regarded (and not 
vice versa). 

— Instead of taking into account all possible instances, it suffices to analyze 
those critical pairs which are obtained by applying “most general” unifiers. 
Now it becomes important that the H C-unification problem is decidable and 
finitary; that is, one can always decide whether two given terms s, t G Ts{X) 
are H C-equi valent under some substitution and, if they are, determine a 

finite minimal complete set of substitutions a such that sa < ta (see 

I for details). We denote this set by MCU Ac{s,t). 

— The potential infinity which arises from the conditions is captured by repre- 
senting the corresponding dependences symbolically. 

In order to simplify the representation we assume without loss of generality that 
the variables in R and ER are disjoint. 

Definition 10. Let T = {E, AC , ER, R) be an ORT. The set of conditional 
critical pairs of%, CCP{1) C T^(X)^ x *P(T^(X)), is given by 

C 

CCP{%) = {(s, t, Ca) I ex. j G R,p G Pos{l) with l\p ^ X , g d € ER, and 

a G MCU Ac{l\p^ 9 ) s = ra and t = (l[p ^ d])a}. 

Note that since R and ER are assumed to be finite, CCP{%) is finite as well. 

4.3 Level Joinability of Critical Pairs 

Now we define a property which is related to the notion of shallow joinability 
of critical pairs in conditional TRS. In contrast to the latter, which does not 
guarantee the confluence (at least for join systems; cf. Q), our condition char- 
acterizes the level coherence of an ORT and, thus, assures the completeness of 
the implementation. 
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Definition 11. Let (s,t,C) G CCP(T) and n G N. ^ substitution a G Sub is 

called (C, n)-feasible iff ca [ < ^'cr for every c—^c'gC.A 

critical pair {s,t,C) G CCP{%) is called level-joinable iff, for every n G N and 
every {C , n) -feasible substitution a G Sub, 

ER/AC, ‘li,, ,ER/AC , 
sa — - > 1 < f — — — ta. 

CCP{%) is called level-joinable iff every critical pair (s,t,C) G CCP{‘1) is. 



Theorem 12. T is level-coherent iff CCP{'Z) is level-joinable. 



Proof. We start with the “only if” part. Let T be level-coherent, (s,t,C) G 
CCP{T), n G N, and let a G Sub be a (C, n)-feasible substitution. By Def- 
inition there exist — ’ / ' ' ’ — G R, g d G ER, p G Pos(l) 

I — !■ r 

with l\p ^ X, and r G MCU ac{1\p, g) such that s = rr, t = (l[p ^ d])T, 
and C = {ciT — + c'r | 1 < z < fc}. The (C, n)-feasibility of a implies that 

CiTa | < and hence (using Lemmafliii)) CiTcr-^ c'rcr 

for every i G {1, ■ ■ ■ ,k}. This allows us to conclude that Ira — rra = sa. 



Since r G MCU ac{1\pt g)i since term rewriting relations are closed under 
both substitutions and contexts, and since I is linear, we have lra < (^[[p <— 

g])ra^^^ {l[p ^ d])Ta = ta, and hence sa < Ira According to 

Definition^ we obtain the joinability as follows: 




To prove the “if” part, let CCP{T) be level-joinable. By complete induction 
on n we establish the level coherence of T by showing that, for every s,t,u G 
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Ts{X) and every n G N, 




V / 



n = 0: Since Tq = 0 (see Definition^, the proposition holds trivially. 

C 

n n + 1: Since u — s, there exist G R and a G Suh such that 

I — > r 

u < — > * la, ra < — > * s, and ca da for every c — > d € C. By induction 
hypothesis, 

ERjAC I I ERjAC , , , 

ca — - ( — — ca (*) 

such that, using Lemmafliii), 

ca — - > 1 — — — — ca (**) 



for every c— > c' G C. 

We proceed by showing that la [ < g using complete 

T^T) / A 

induction on m where m G N is the number of steps of the longest >■- 

reduction starting in la. (Note that ER is assumed to be terminating modulo 
AC.) Since u < — > * la and u the convergence of ER modulo AC 

then enables us to conclude that la closing the above diagram as 

desired. 

m = 0: Here, la is ^9 > -irreducible . Hence, using (*), la \ 

. £ * .... ERjAC.. ERjAC , 

ra where ra< > s again implies ra — — s by convergence. 

F'R I AO 

m m+ 1: Let la be s— reducible, that is, there exists t' G Ts{X) 

A.C ER 

such that la< >■* > t' . This implies that there are p G Pos{t') and 

A O 

g — > d G ER with la < t'\p ^ ga] and t'\p = da. (Note that we 

can reuse the above substitution a since R and ER are assumed to be 



variable-disj oint . ) 

If and g d are applied at overlapping positions, i.e., ga < 



I — > r 
>* {l\q)a for some q 



G Pos{l) with l\q ^ X, then {ra,t' ,Ca) is an 



instance of a conditional critical pair: there exist r G MCU Ac{l\q, g) 
and r' G Sub such that {ra, {l[q ^ d])r, Ct) G CCP{T), ra < ^9 - , * rTp, 
t' < {l[q ^ d])'rr', ca < 99 - , * ctt', and da < - ^^> * c’tt' for every 
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c — > c' G (7. Since (*) holds for every c c' G C, tt' is a feasible 
substitution. Hence the level joinability (Definition^] and the fact that 
s < — > * ra < rrr' yields, as desired, 




Otherwise g — > d is applied below j , i.e., for some x G X{1) and some 

A C 

p G Pos{xa), ga< *■* {xa)\p. 

Since I is linear, the -^^-successor t' of la can be represented as t' < 

la' where a' G Suh is given by xa' = {xa)[p da] and ya' = ya for 
every y G X \ {a;}. Now, on the one hand, we have seen above (**) that 

ca — - ( — 24 , ^ — Q (j 

for every c c' G C. On the other hand, the definition of a' yields 
ca ccr' and c' a (J/j' §uch that the ™/"^^> [-normal 

forms coincide pairwise. Hence we have 

ca — - ( — 24 . ^ — c (j 

for every c — > c' G C. Thus, by Definition Q la' — ra' . Since 
ra p(j' as well, the above diagram can be closed as follows, 

using the induction hypothesis for m. 



la 
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Example 13. It is possible to show that the CCS specification in ExampleHis 




ER yield the two conditional critical pairs 



({a}(x' II nil), z, {z-. {a}x'}), ({a}(x' || z),z, {nil-. |a}:r'}) € CCP(T). 



(Choose a = [x/z, y/nil] in Definition^Jto obtain both.) 

Regarding the second pair, it is obvious that there does not exist any ({nil—. 
{a}a;'}, n)-feasible substitution since the term nil is — s— irreducible. Hence, the 
critical pair is trivially level-joinable. 

Now let a S Sub be a ({ 2 —. {a}a;'}, n)-feasible substitution for the first pair. 
According to Definition^J there exists u € Tjj(X) such that zcr 

F'R I AC' 

({a}x')a. Then the level joinability can be established as follows. On 

the one hand, using the oriented equation z || nil — > z G ER, 

({a}(:r' || nil))a-^^^ {{a}x')a 



On the other hand, by C (Lemmaflii)), 






5 Conclusion 

In this paper we have proposed a variant of Meseguer’s Rewriting Logic as a 
semantic framework in which different design languages for distributed systems 
can easily be described. We have demonstrated its appropriateness by giving a 
natural specification of the well-known CCS process algebra. We have argued 
that, for an efficient implementation of this approach, the underlying principle of 
(conditional) term rewriting modulo arbitrary equational theories is intractable. 
Instead we have proposed to employ rewriting modulo AC, using oriented ver- 
sions of the equations, and we have shown that this implementation is always 
sound. With regard to completeness, we have investigated the property of level 
coherence as a sufficient criterion which can be verified by testing the level join- 
ability of finitely many conditional critical pairs. 

Currently we are developing a prototype version of a compiler generator 
which, given the specification of a design language in terms of oriented rewrite 
theories, builds a corresponding Haskell frontend for our Truth verification tool. 
For the actual term rewriting steps, it employs the ELAN system (cf. Q). From 
the point of view of memory efficiency, the prototype is very successful regard- 
ing the state-space reduction. However its run-time performance leaves much 
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to be desired, due to the string-based Haskell/ELAN interface and to the inter- 
preting implementation of ELAN. Future releases will hopefully overcome these 
drawbacks by compiling the rewrite rules. It could also be sensible to use other 
languages such as CafeOBJ (Q) or Maude (|). 

In addition, the coherence test has still to be implemented. But if this test 
fails for a given oriented rewrite theory, then the user is left alone with the 
information that one of the conditional critical pairs is not level-joinable, which 
causes the incoherence of the specification. He or she gets no hint on which rules 
should be added in order to assure the completeness of the implementation. We 
are therefore further seeking for coherence completion strategies which can be 
used to determine such rules. Because of the similarity between the joinability 
and the confluence property of conditional TRS, completion algorithms for the 
latter (see e.g. P) could be a good starting point. 
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Abstract. Synchronous languages have been designed to ease the de- 
velopment of reactive systems, by providing a methodological frame- 
work for assisting system designers from the early stages of requirement 
specifications to the final stages of code generation or circuit produc- 
tion. Synchronous languages enable a very high-level specification and 
an extremely modular design of complex reactive systems. We define an 
order-theoretical model that gives a unified mathematical formalization 
of all the above aspects of the synchronous methodology (from relations 
to circuits). The model has been specified and validated using a theo- 
rem prover as part of the certified, reference compiler of a synchronous 
programming language. 



1 Introduction 

Synchronous languages, such as Signal Lustre Q and Esterel Q have 
been designed to ease the development of reactive systems. The synchronous 
hypothesis provides a deterministic notion of concurrency where operations and 
communications are instantaneous. In a synchronous language, concurrency is 
meant as a logical way to decompose the description of a system into a set of ele- 
mentary communicating processes. Interaction between concurrent components 
is conceptually performed by broadcasting events. Synchronous languages enable 
a very high-level specification and an extremely modular design of complex reac- 
tive systems by structurally decomposing them into elementary processes. The 
use of synchronous languages provides a methodological framework for assisting 
the users from the early stages of requirement specifications to the final stages of 
code generation or circuit production while obeying compliance to expressed and 
implied safety requirements. In that context, the synchronous language Signal 
is particularly interesting, in that it allows the specification of (early) relational 
properties of systems which can then be progressively refined in order to obtain 
an executable specification. All the stages of this design process can easily be 
modeled and understood in isolation. The purpose of our presentation is to define 
a mathematical model which gives a unified formalization of all the aspects of 
a synchronous methodology and which contains each of them in isolation. The 
model uses basic notions of set-theory and order-theory. It has been specified 
and validated using the COQ proof assistant |. This implementation is part of 
a certified, reference compiler of the Signal language. It completes and extends 
the results of ^3 the definition of a co-inductive trace semantics of Signal 
in COQ. 
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Influential Analogy. In 1545, the great Italian mathematician Gerolamo Car- 
dano wrote an important and influential treatise on Algebra: “Ars Magna” Q in 
which the first complete expression for the solution of a general cubic equation 
was put forward. Cardano noticed that, in the case of some equation with three 
real solutions, he was forced to take at a certain stage the square root of a neg- 
ative number. The imaginary numbers were borned. Analogically, we generalize 
the classical notion of signal with imaginary signals. This extension 

has no material counterpart. It is used to compute intermediate results. For 
instance, the temporal abstractions of signals (called clocks) have necessary a 
greatest lower bound but do not always have a (real) least upper bound. In that 
case, we need to define an imaginary least upper bound. This axiomatization 
allows to extend the notion of classical clocks (a clock is a temporal abstrac- 
tion of a signal) with imaginary clocks and define a boolean lattice of clocks. In 
this lattice-theoretical model, temporal relations between signals always have a 
solution. If the solution contains imaginary signals, this means that the system 
has no real solution in the classical model and that it does not thus form an 
executable specification. 



Plan. We first introduce the synchronous language Signal in the section | In 
the section 5 we abstract the notion of control dependence in a mathematical 
structure that we call a synchronous structure. Within this structure we for- 
malize the notions of signals, clocks and instants, and their relations. We define 
some internal operations on signals and clocks, prove their algebraic properties, 
prove that the set of clocks forms a boolean lattice, and define a Cartesian closed 
category of signals with product and coproduct. In the section^ we add a valu- 
ation function and a data dependency relation to synchronous structure. In the 
section H we briefly expose the outcome of our model for the compilation of 
programs written in the synchronous language Signal. 



2 Overview of Signal 



Signal is an equational synchronous programming language. A Signal program 
is modularly organized into processes consisting of simultaneous equations on 
signals. In Signal, an equation is an elementary and instantaneous operation 
on input signals which defines an output. A signal is a sequence of values defined 
over a totally ordered set of instants. At any given instant, a signal x is either 
present or absent. 



P-.:={P I P') 

I ^/x 

I R{xl, • • • , xn) 

I z := X when y 
I z := X default y 
I y ■= x% init V 



parallel composition 
restriction 

instantaneous relation 
selection 

deterministic merge 
delay 
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In Signal, a process P is either an equation or the synchronous composition 
P I P' of processes. Parallel composition P | P' synchronizes the events produced 
by P and P' . Pjx masks the signal x in the process P i.e. a; is a local signal of the 
process P. An instantaneous relation R{x\, • • • , Xn) forces the signals xi, - ■ ■ ,Xn 
to be synchronous and theirs instantaneous values to satisfy the relation P. A 
delay y := a;$ in it v (called “shift register” in Q) stores the value v' of x and 
outputs the previous value u of a; to y. A deterministic merge z := x default y 
outputs the value of a; to z (if x is present) or the value of y (if x is absent). A 
selection (or down-sampling) z := x when y outputs a; to z when y is present 
and true. When all the inputs of an equation are absent, a transition takes place 
but no value is given to its output. 

A set of equations can be encapsulated as a new reusable process. It consists 
of an interface providing parameters, input and output signals with their types. 
The pervasive operators when, default and $ of Signal offer a flexible mean for 
progressively specifying reactive systems, from the early specification of system 
properties or requirements to late executable programs. To illustrate this process, 
let us consider the design of a simple replenishable tank where capacity is an 
integer parameter, fill is an input signal of type event (a subtybe of boolean 
onlay inhabited by true), and empty is an output signal of type boolean. 

process tank = {integer capacity} (? event fill ! boolean empty) 

(I synchro (when (zn = 0), fill) 

I zn := n$ init 0 

I n := {capacity when fill) default (zn — 1) 

I empty := when (n = 0) default (not fill) |) / n, zn 

This program uses an extended and more intuitive syntax of Signal that 
can be translated into the SiGNAL-kernel described in this overview, synchro is 
a process that forces its input signals to be synchronous. The following table 
illustrates an execution of the process tank with a capacity equal to 3. 



fill 

zn 


t 

0 3 


2 1 


t 

0 


3 2 1 


t 

0 3 


n 


3 2 


1 0 


3 


2 1 0 


3 2 


empty 


/ 


t 


/ 


t 


/ 



It is easy to observe that without its first equation synchro {when (zn = 
0),fill} the process tank would not form an executable specification. In this 
case, it would be impossible to relate the clock of the signal fill with the other 
clocks of the program. But it would be a correct sub-specification that could 
be composed with another specification to remove the non-determinism. In this 
paper, we show how to deal with non-determinism using imaginary signals. 

3 Control Dependence 

In this section, we focus on a characterization of control dependencies, i.e., the 
temporal relations between events or the dates of events relative to some refer- 
ence of time, not the value of events. Let us informally depict a synchronization 
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scenario between two sequences of events (i.e. sets of ordered events). They ex- 
change (dotted) synchronization messages using an asynchronous medium for 
their communications. This involve a synchronization relation between events. 
The natural structure of time of the whole system is that of a partial pre-order. 
In this section, we will abstract the notions involved in this example. 




3.1 Synchronous Structure 

We define a synchronous structure as an ordered set (its elements are called 
events) with a particular equivalence relation ~. Intuitively, a; ~ y means that x 
and y are synchronous, that is to say the events x and y must occur simultane- 
ously. The order relation < is the temporal causality between two events: x < y 
means that x must occur strictly before y. 

Definition 1. (£,<c) is a synchronous structure iff £ is a non empty set (of 
events) and is a preorder on £ such that: 

Va; G £, {y G 5 \ y ^ x\ is finite, where a; ~ y x ^ y A y ^ x 

X <y AAdefX < y A a; / y 

x<y AAdefX <yV X = y 

For instance, the left part of the figure | depicts eight events which define 
a synchronous structure. To give easier explanations, the events are numbered 
from 1 to 8. Dotted lines represent the equivalence relation ^ and bold lines 

represent the strict order relation < as a Hasse diagram: a; < y iff there is a 

sequence of connected bold line segments moving downwards from x to y. 

The preorder ^ mixes the synchronicity relation and the temporal causality 
relation. It defines a notion of time for the whole system. We will explain this 
structure in more details after introducing the notion of signal. The right part 
of the figure depicts the preorder relation <C between events as a Hasse diagram 
where synchronous events are grouped in one node. From the fact that < is well 
founded, we deduce that <C is a well founded preorder. 

The following proposition comes directly from the definition of a synchronous 
structure. In the example, it guarantees that the events numbered 1 and 8 cannot 
be synchronous. 

Proposition 1. V(a;, yi, y 2 , z) G a; < yi A yi < y 2 A y 2 < z ^ ^ z 
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Fig. 1. Events and associated preorder 



We say that an event x is covered hy an event y, and write y, iff a; < y 
and there is no event z satisfying x < z < y. From the fact that < is well 
founded, we can deduce the following proposition. This proposition is important 
to guarantee a discrete model of synchronous programming. 

Proposition 2. V(a;, y) G a; < y => 3z G £, y 

Indeed, (£, <) is not dense because < is well founded. 



3.2 Signal, Clock, and Instant 

In this subsection we define the objects of the model and their relations. First, we 
formalize the notion of signal. Usually, a (real) signal is a totally ordered set of 
events. This total order implies that two different events cannot be synchronous. 
We generalize this definition to enable partially ordered sets of events to be 
(imaginary) signals. A signal just have to satisfy the property that two different 
events cannot be synchronous. In the subsection ^3 this relaxed condition is 
used to define internal operations. 

Definition 2. Let X be a subset of £ . X is a signal iff it satisfies the following 
axiom: 

V(a;,y) G - y ^ a; = y (1) 

Let S be the set of signals. For instance, in the figureO {!> 3, 5, 8} and {2, 6, 8} 
are in S. A real signal is then a particular case of signal which is totally pre- 
ordered by <C. For instance, in the figureO {li 3, 5}, {2, 6, 8} and 0 are real sig- 
nals but not {1, 3, 5, 8}. An imaginary signal is a signal which is not a real signal. 
An imaginary signal enables to represent the lack of synchronization constraints 
in a sub-specified reactive system. In Signal, a sub-specification is a correct 
specification that cannot be executed because of non-determinism. It needs to 
be composed with another specification to remove the non-determinism. Let X 
be a signal. From the axiomO^e deduce that ^ is antisymmetric on X and 
then is an order relation on X. X is totally ordered by ^ iff A is a real signal. 
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From the proposition H we deduce proposition ^ Then, we define a preorder 
relation ^ on 5 (definition^ see, for instance, the figure The preorder ^ 
gives rise to an equivalence relation = (definition J we say that X and Y are 
synchronous iff X=Y). 

Proposition 3. yx G 5,V(a;, y) G X“^,x < y ^ 3z G X, z— < y 
Definition 3. For all signals X and Y , X <Y iff\/xGX,3yGY,x^y 

Definition 4. For all signals X and Y, X=Y iff X ^Y and Y X. 

In order to study the temporal relations between signals, we define the equiva- 
lence classes of signals by =. 




Fig. 2. Preordered signals {X <Y) 



Definition 5. The set of clocks C is the quotient of S by =. 

For any signal X, we write X its equivalence class that we call its clock. 0 is 
called the null clock. The clock of a real (resp. imaginary) signal is a real (resp. 
imaginary) clock. The preorder ^ on 5 gives rise to an order C on C. 

Definition 6. For all signals X and Y, X ^Y iff X f~Y. 

We define the equivalence classes of events by Intuitively, these classes will 
represent the notion of logical instant. 

Definition 7. The set of instants T is the quotient of £ by 

For any event x, we write x its equivalence class that we call its instant. The 
preorder gives rise to an order [> on I. 

Definition 8. For all event x and y, x\>y iff x y. 
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Intuitively, it is clear that a clock should be related to a set of instants and 
conversely. We show that the set of clocks C and the powerset of X are isomorphic. 
Let V{T) be the powerset of X. Using the Axiom of Choice, we prove the following 
theorem. 

Theorem 1. (C, U) and (X(X),C) are isomorphic. 

Let / be a set of instants. By definition of an instant, / is a set of disjoint sets of 
events. The Axiom of Choice is then necessary to “choose” a single event from 
each element of I. Then we can construct a signal and take its clock which is 
then the associated clock of I. Therefore there is a function / from X’(X) to C. 
We show that this function is invertible and / and f~^ are increasing. This is 
sufficient to prove that / is an isomorphism. 

3.3 Trace 

We can link this order-theoretic approach to our trace semantics of Signal 
developped in Let i S X be an instant. tx{i) is the event at the intersection 
of X and i if it exists. Or else it is the special value _L ^ £ if the intersection is 
empty, tx is called the trace of X. 



tx-.I^£U{±} 

. ( X if X ni = {a;} 

* ' \ _L else 

The following lemma guarantees that this definition is correct. 

Lemma 1. For any signal X, for any instant i, for any event x of X, X CM = 
0V3a;GA, Ani = {a;} and X fix = {a;}. 

The two approaches are linked by the logical property: X = Y ^ tx = ty ■ 

3.4 Operations on Signals and Clocks 

In this subsection we define some operations on signals and clocks which denote 
the control part of the instructions of Signal Q. Let X and Y be signals. First 
we define the selection of a signal at the clock of another signal. 

Definition 9 (Selection). For all signals X and Y , 

X®Y =def {x e X\3y e y, a; ~ y} 

(g) is an internal operation on S i.e. for all signals X and Y , X ^Y is a signal. For 
instance, in the left part of the figure^ the selection of the signal Y at the clock 
of X is depicted. Although X and Y are imaginary signals, the result T (g A is a 
real signal in this example. The operator g) on 5 gives rise to the greatest lower 
bound operator □ on C. 

Definition 10. For all signals X and Y, X r\Y =defX g) Y. 
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Proposition 4. C r\ D is the greatest lower bound of clocks C and D. 

We define the merge of two signals with priority to the left event. 

Definition 11 (Deterministic Merge). For all signals X and Y, 

X =def XiJ{y & Y\-~3x S X, a; ~ y} 

0 is an internal operation on S i.e. for all signals X and F, X0P is a signal. For 
instance, in the right part of the figure^ the deterministic merge of the signals 
X and Y is depicted. Although X and Y are real signals, their deterministic 
merge X (B Y is an imaginary signal because its events are not totally pre- 
ordered by <C. The operator 0 on 5 gives rise to the least upper bound operator 



Jf Y 





Fig. 3. Examples of selection and deterministic merge 



U on C. 

Definition 12. For all signals X and Y , XUY =defX 0 Y . 

Proposition 5. C U D is the least upper bound of clocks C and D. 

Every couple of clocks {C, D} has a least upper bound CUD and a greatest 
lower bound C r\ D. Therefore (C,n,U) is a lattic^ From the isomorphism 
between V{F) and C, we deduce that the lattice (C, n,U) is boolean i.e. it is 
complete, distributive and there exists a null element 0 and a universal element 
T. Let / be the morphism from V{I) to C. The universal element T is equal 
to f{I). We define the operator \ on clocks which is the counterpart of the 
operator \ on sets of instants which subtracts a set from an other. Let / be the 
morphism from C to V{F): C\D =def f~^{f{C)\f{D)). The complementary of 
a signal A is a “chosen” signal X (using the Axiom of Choice) of clock T\A. 



^ This is not true for real clocks as they do not always have a real least upper bounds 
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Algebraic properties of these operations on signals and clocks are summarized in 
the figure J They are easily proved by case analysis using the trace semantics. 
We just have to translate the signal operators ® and 0 into the trace semantics. 
We define an operator . on traces such that tx 0 Y = tx-ty and an operator 0 
on traces such that txey = tx + tv ■ 



tx-ty ■ T- — ^ ^ U {-L} tx -V ty \ X — > £ U {-L} 

^ I ^ r tx(*) : tx(%) yf -L,ty{i) yf _L ^ ^ ^ f tx{i) ■ tx{i) yf -L 

[ _L othewise \W(*) othewise 

Note that 0 is not distributive to the right with respect to 0. Indeed, if tx{i) = x, 
ty{i) = _L and tz{i) = z then {{tx ■ty)+tz)(i) = z and {{tx+tz)-{ty+tz)){i) = 

X. 



X®Y <X 
X®Y <Y 
X ® Y=Y 0 A 
A 0 (y 0 0) = (A 0 y) 0 0 
A 0 (y © 0) = (A 0 y) © (A (g) 0) 
(A © y) © 0 = (A © 0) © (y © 0) 



A© A©y 
y © A©y 
A©y=y© A 
A© (y ©©) = (A©y )©0 
A © (y © ©) = (A © y) © (A © z) 



Fig. 4. Algebraic properties of 0 and 0 




Fig. 5. Summary of the results presented so far 



3.5 The Category of Signals 

Another way to study temporal relations between signals is to define a category 
of signals in which a morphism describes the temporal relation between two 
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signals. Suppose that X and Y are two signals such that X . Then, for any 
event x € X, there exists an event y € Y such that a; ~ y, by definition of 
This event y is unique by definition of a signal. Hence, we can define a total 
function [T]xj called signal morphism, from X to Y: 

[T]x : X ^ y 

X I — > y such that x ^ y 
For all signals X and Y such that X <Y , 

1. \Y]x is injective: V(x,x') € X^, \Y]x{x) = \Y]x{x') x = x' 

2. \Y]x is strictly monotonic: V(x,x') G X^,x < x' ^ < \Y\x{x') 

3. [y]x is bijective (with [F] = [F]y) iff X=F. 

The identity [X]x is a signal morphism and signal morphisms can be com- 
posed: for all signals X, Y and Z such that X ^ Y ^ Z, [Z]x = [Z]y o [Y]x- 
The set of signals and the set of morphisms define a small (preorder) category 
Sig with product 0 and coproduct 0. More precisely, let X and Y be two ob- 
jects (i.e. signals) of the category Sig. The product object X (^Y and the two 
projections [X]x^y and [F]x®y are a product of X and Y. These data sat- 
isfy the property that, for any object Z and all morphisms / : Z — > X and 
g : Z — > Y, there exists a unique morphism (/, g) : Z — > X 0 F such that 
the left-diagram of figure Ocommutes. The coproduct object X®Y and the two 
injections [X 0 Y]x and [X 0 F]y are a coproduct of X and F. These data 
satisfy the property that, for all object Z and all morphisms / : X — > Z and 
g : F — > Z, there exists a unique morphism [f,g]\X(BY — > Z such that the 
right-diagram of figureHcommutes. 



[-V]x®v Iy]x0y 

X0F ^F 




[x©y]x Ix®y]y 

X 5 F 




Fig. 6. Morphisms for product and coproduct objects 



The signal 0 is the unique initial object of the category Sig i.e. for any object 
X of Sig there exists a unique morphism [X](h : 0 — > X. And the coproduct 0 is 
defined for each ordered pair of objects of Sig. Hence the category Sig has finite 
coproducts. It is also possible to construct a terminal object. Let C be the clock 
corresponding to the set of all instants I. Let F G C be a signal of clock C. This 
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signal y is a terminal object i.e. for any object X of Sig there exists a unique 
morphism \Y]x '■ X — > Y. And the product ® is defined for each ordered pair 
of objects of Sig. Hence the category Sig has finite products. Let Y ^ Z he the 
object Y ® Z and Applyy^^ : {Y ^ Z) ®Y — > Z be the morphism [Z](^y^z) 0Y- 
Applyy 2 is correctly defined because (Y ^ Z) (^Y ^ Z: 

{Y ^ Z)®Y ={Y®Z)®Y = {Y®Y)®{Z®Y)=%®{Z®Y) = {Z®Y) < Z 

In addition, {Y ^ Z) ®Y = [Z ® Y). Therefore Applyyy = [Z]z 0Y- Sig is 
Cartesian closed i.e. for all objects Z and each morphism f : X 0Y — > Z there 
exists a unique iMrphism A(/) = [F ^ Z]x ■ X — > {Y => Z) such that the 
following diagran| commutes. The proof consists in proving that X ^ (Y ^ Z) 
i.e. A(/) = [y =4> Z]x is correctly defined. We conjecture that the category Sig 
can be related to the category of event strutures (S3) through functors. 




4 Data Dependence 

In this section, we complete our notion of partial ordered time to deal with data 
dependence. 

4.1 Valuated Synchronous Structure 

We associate a valuation function v and a data dependency relation ^ to syn- 
chronous structure. 

Definition 13. Let T> be a set. (£, <C, v : 8 — > T>, is a valuated synchronous 

structure iff (8, <C) is a synchronous structure, v a function from 8 to T> and — > 
is a partial order included in <C i.e. : 

y{x,y) e 8‘^,x ^ y ^ X <^y (2) 

The definitionjof the partial order c> on instants and the axiomjguarantee 
that the value of an event cannot depend on the value of a future event. The data 
dependencies of an event come only from past or present values of other events. 
A signal is said of domain D CT> iS all its events x are such that v{x) G D. Let 
be the transitive closure of the union of the relations ^ and ^ The preorder 

^y', 

— > y ®y' = (/o [X]x^x',g ° [x'] X®X') 



2V/:A-^y,/:A' 
f =def: X ®x' ■ 
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<Cv defines a notion of time which takes into account the synchronicity relation, 
control dependencies and data dependencies. We define a preorder relation 
on W. 

Definition 14. X <vY iff X <Y f\\/x £ X,v{x) = u([F]x(a;)) 

The preorder gives rise to an equivalence relation =v Intuitively, X=^Y 
means that X and Y are synchronous and provide same values in same order. 

Definition 15. X=yY ijf X ^ Y AY ^ X 



4.2 Scheduling Specification 

We define a ternary relation, called conditional dependency. Intuitively, X -^Y 
states that, at the instants of the clock C, there are dependencies ^ from an 
event of X to an event of Y in the same instant. In this relation, we are only 
interested in instantaneous dependencies. Practically this relation is used to 
schedule the computation that have to be done in the same logical instant. A 
set of conditional dependencies is called a scheduling specification. 

Definition 16. X -^Y ^Adef^x & X ® Z,3y &Y,x ^ y A x ^ y 

The following theorem enables to compute the transitive closure of a scheduling 
specification. 

Theorem 2. For all signals X, Y and Z , for all clocks C and D, 

X-^Y AY ^ Z ^ X^ Z X-^Y AX^Y ^ X^Y 



In the figureH the diagram on the left depicts a scheduling specification involving 
local variables. These are hidden in the diagram on the right, using the theorem^ 




Fig. 7. Abstraction of Scheduling Specifications 
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5 Compilation of Signal 



First, we define the functions *. and [.] which compute the sub-signal of the true 
valued events of a signal of domain {false, true}, and its clock. 

Definition 17. Let X be a signal of domain {false, true}. 



= {x G Al|u(a;) = true} [X] = *X 

The delay enables to move forward the valuation of a real signal The value 
of an event of a delayed real signal is the value of the previous event if it exists. In 
the other case, a default value is given. Pre(u, X, Y) states that Y is the delayed 
signal of X initialized with u. 



Pre(u, X, Y) 4^def A^yGY, 



y minimal element of T => u(y) = u 

G Y,y-^ y ^ v{y) = u([X]y(y")) 



We define a predicate that constrains a set of signals to be synchronous and to 
satisfy a predicate between their values at every instant. In Signal, it is called 
an instantaneous relation. 

Definition 18 (Instantaneous Relation). Let X\, ■ ■ ■ , X^ he n signals and 
P he a predicate on H". 



R"p{Xi,---^X„)G^def 

Xx — ' ' ' — Xn A V(xi, . . . , Xn') G X\ X ... X Xji, X\ ~ . . . ~ Xji P(^X\, . . . , Xn) 



The denotational semantics of Signal in this model is given in figure H The 
symbol : = is not only denoted by =v but also by dependence relations from the 
signals involved in the right part of an equation to the signal of the left part at 
the clock of the latter signal. 

Endochrony refers to the Ancient Greek: “evdd\ and literally means “time 
defined from the inside” . An endochronous specification defines a reactive sys- 
tem where “time defined from the inside” translates into the property that the 
production of its outputs only depends on the presence of its inputs. An en- 
dochronous system reacts to inputs by having an activation clock computable 
from that of its inputs. This activation clock directs the execution of the pro- 
gram. By contrast with the classical synchronous programming model, in which 
the activation clock of a system is not always definable, it is always possible 
to manipulate real or imaginary clocks in our model (because the set of clock 
C is a complete lattice) and eventually to compute a real (endochronous) sig- 
nal. Hierarchization is the implementation of the property of endochrony for the 
compilation of Signal programs. It is the medium used in Signal for compiling 
the parallelism specified using synchronous composition. It consists of organizing 
the computation of signals as a tree that defines a correct scheduling of com- 
putations into tasks. Each node of the tree consists of synchronous signals. It 
denotes the task of computing them when the clock is active. Each relation of a 
node with a sub-tree represents a sub-task of smaller clock. 

It would make no sense to apply delay to imaginary signal. 



3 
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[vl G V 

[fl e D X • • • X D — >v 

[xIp = p(x) £ 5 

[y :=f (xl, . . . ,xn)|p = Fj’ljdlxllp, • • • , |[xn|p) A /\Jl^|[xi|p |[y|p 

|[z:=x when y|p = |[z|p=v|Ix|p ® ‘[yip A IAp 

[z:=x default y|p = [z]p=vlx]p © [y]p A [x|p [z|p A [yip [z|p 

[y:=x$ init v|p = Pre(|v], |x|p, [y|p) 

|PllP2lp= [PllpA[P2lp 
[P/x1p = ax G 5, [PIp.x^x 
[(?Xl^,,m )P1p = , yi,..n )• [PIp.Xim^i ,■■■ 



Fig. 8. The denotational semantics of Signal 



6 Related Works 

There are several ways to characterize the essentials of the synchronous paradigm. 
In we introduce a co-inductive semantics of Signal. A theorem library is 
developed and enable to express and prove not only liveness and safety proper- 
ties of a synchronous program but also its correctness and its completeness. But 
it is not powerful enough to deal with more theoretical aspect of synchronous 
programming such as dependencies. The semantics of a synchronous language 
can be described in a better way with Symbolic Transition System (STS) 

This is a formalism on which fundamental questions can be investigated. But it 
manipulates the absence of a signal as a special value. This is not consistent with 
reality: the absence of a signal has to be inferred by the program (endochrony) . 
In STS is extended with preorders and partial orders to model causality re- 
lations, schedulings and communications. This pre-order theoretic model is put 
into practice in the design of Bdl (^3), a synchronous specification language 
that uses families of pre-orders to specify systems. In Q, the problem of char- 
acterizing synchrony without using a special symbol for absence is addressed in 
terms of multiple onput-output sequential machines. In the language Signal 
has been modelled in interaction categories ([j]) where processes are morphisms 
and objects are types of processes. 



7 Conclusion 

We have defined a unified model which formalizes all aspects of the development 
of a reactive system using the underlying programming methodology of syn- 
chronous languages (from relations to circuits) . This model uses basic notions of 
set-theory and order-theory and has been specified and validated using the COQ 
theorem prover. This implementation is part of the development of a certified 
Signal compiler. 
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Abstract. A behavioural equivalence is a congruence, if a system is 
gnaranteed to remain equivalent when any one of its component pro- 
cesses is replaced by an equivalent component processes. An equivalence 
is weaker than another equivalence if the latter makes at least the same 
distinctions between systems as the former. An equivalence preserves 
a property, if no equivalence class contains one system that has that 
property and another system that lacks the property. Congruences that 
preserve such properties as deadlocks or livelocks are important in au- 
tomatic verification of systems, and knowledge of the weakest such con- 
gruences is useful for designing verification algorithms. A simple deno- 
tational characterisation of the weakest deadlock-preserving congruence 
has been published in 1995. In this article simple characterisations are 
given to the weakest livelock-preserving congruence, and to the weakest 
congrnence that preserves all livelocking traces. The results are compared 
to Hoare’s failures-divergences equivalence in the CSP theory. 



1 Introduction 

In this article we investigate weakest eongruences for process-algebraic systems. 
A process algebra consists of a language for defining systems, and a semantic 
theory that defines one or more equivalenees for the behaviours of systems. 
The language contains operators with which processes can be constructed and 
combined to form larger processes. An equivalence is a congruence, if and only 
if the replacement of a component process of a larger process with an equivalent 
component process always yields a result that is equivalent with the original 
larger process. Whether or not an equivalence is a congruence may depend on 
the set of operators that are allowed when constructing processes. An equivalence 
“~i” is weaker than another equivalence “~ 2 ” if and only if P ~2 Q implies 
P~i Q. 

The research on weakest congruence results may have its origin in Robin 
Milner’s remark in p. 206 of B: “Hoare’s failures equivalence ... is important, 
because it appears to be the weakest equivalence which never equates a deadlock- 
ing agent with one which does not deadlock.” Milner probably required that the 
equivalence must be a congruence, because otherwise the weakest equivalence 
would be the trivial one that has precisely two equivalence classes: the processes 

Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 1999. 

© Springer-Verlag Berlin Heidelberg 1999 
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(that is, Milner’s agents) that deadlock, and those that do not. In it was 
proven that Milner’s guess was not precisely correct. The weakest deadlock- 
preserving congruence depends on the set of allowed process composition oper- 
ators. Furthermore, assuming a reasonable choice of operators, it is the same 
as Hoare’s failures equivalence only in the absence of so-called divergence. From 
now on we will call Hoare’s equivalence CSP-equivalence to avoid confusion with 
some other important types of “failures” and “failures equivalences” that have 
appeared in the literature. 

Another interesting weakest congruence result was proven in Q, where the 
so-called nondivergent failures divergences equivalence {NDFD- equivalence) was 
shown to be the weakest congruence that preserves the validity of formulae 
written in classic Manna-Pnueli linear time temporal logic P from which the 
“next state” operator “Q” has been removed. This logic is extremely impor- 
tant in verification of concurrent systems. Furthermore, if the congruence has to 
preserve also deadlocks, then the weakest congruence is the Chaos-free failures 
divergences (CFFD) equivalence. Because the Manna-Pnueli logic is state-based 
and process-algebraic equivalences are action-based, these results required an 
interpretation of the logic in an action-based setting. This can be done in more 
than one way. An alternative interpretation that is perhaps more relevant for 
practical verification than the original one was given in (more easily found 
in Q pp. 498-499). 

Some researchers have tried to find the weakest congruence that preserves 
the results of certain kinds of tests. The solution with a fair way of testing was 
given by Brinksma, Rensink and Vogler in and Leduc came to the conclusion 
that with another view to testing, the NDFD-equivalence is the solution Q. 

Some equivalences investigated in weakest congruence research have their 
origin in 

In this article we are interested in weakest congruences that distinguish be- 
tween diverging and non-diverging systems. Divergence is an important phe- 
nomenon, because it corresponds to livelock, and has perhaps been the biggest 
stumbling block in the quest of natural deadlock-preserving congruences. We 
also compare our results to the well-known CSP-equivalence. 

Although the motivation of this article is mostly theoretical, weakest con- 
gruence results have also practical significance for automatic verification. One 
powerful way of fighting the well-known state explosion problem in automatic 
verification is compositional LTS construction, in which some reduction algo- 
rithm is applied to an LTS before using it as a component of a larger system. 
One way of guaranteeing that this approach produces correct results is to ensure 
that the reduction algorithm preserves some equivalence that is a congruence 
and that preserves the property in question. For instance, any reduction algo- 
rithm that preserves the weakest deadlock-preserving congruence can be used in 
compositional analysis of deadlocks. 

Section Hgives the earlier definitions, etc. that we will rely on in this ar- 
ticle. The weakest congruence that preserves divergence traces is given in Sec- 
tion J and the weakest congruence that distinguishes between a diverging and 
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non-diverging system in Section^ SectionHis devoted to an analysis of CSP- 
equi valence from the point of view of weakest congruences, and the paper ends 
with a Conclusions section. 



2 Background 

Let A* denote the set of finite and infinite strings of elements of a set A. The 
empty string is denoted with e, and it is an element of A* , but not of A^ . That 
a (finite or infinite) string ct is a prefix of a string p is denoted with a < p, and 
a < p means that a < p A a ^ p. The length of the string a is denoted with \a\. 

The behaviour of a process consists of executing actions. There are two kinds 
of actions: visible and invisible. The invisible actions are denoted with a special 
symbol r. The behaviour of a process is often represented as a labelled transition 
system. It is a directed graph whose edges are labelled with action names, with 
one state distinguished as the initial state of the process. 

Definition 1 . A labelled transition system, abbreviated LTS, is a four-tuple 
{S, E, A, s), where 

— S is the set of states, 

— E, the alphabet, is the set of the visible actions of the process; we assume 
that T ^ E, 

— AC S y. {EU {r}) x S is the set of transitions, and 

— s € S is the initial state. 

An LTS is finite if and only if its S and E are finite. 

The following notation is useful for talking about the execution of a process 
starting at some given state. The a;^”-notation requires that all actions along 
the execution path are listed, while the r-actions are skipped in the “ =a;=> 
notation. 

Definition 2 . Let {S, E, A, s) be an LTS, s, s' € S, a, oi, 02, . . . , a„, . . . G A U 
{r}, and 61, 62, . . . , 6„, . . . G E. 

— s —a—^ s' is an abbreviation for (s, a, s') G A. 

— s —0102 • • • o„— > s' means that there are sq , s\, . . . , Sn G S such that sq = s, 
Sn = s' and Si-i — o^— > Si whenever 1 <i <n. 

— s — 01O2 ■ • • o„— > means that there is s' such that s — 01O2 • • ■ o„^ s' . 

— s — 01O2O3 • • — > means that there are so,si,S2,... such that sq = s and 

Si-i Si whenever 1 <i. 

— restr{a\a2 ■ ■ ■ o„, A), the restriction of 01O2 • • • o„ to A, is the result of the 
removal of those ai from 01O2 ■ ■ ■ an that are not in A. The restriction of an 
infinite string is defined similarly. 

— s=£=ks' means that s—t^^s' for some n > 0 , where r" denotes the sequence 
of n T-symbols. 
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— s =bib2 • ■ • bn^ s' means that there are sq, s\, . . . , Sn € S such that sq = s, 
Sn = s' and Si-i =bi^ Si whenever \ < i < n. That is, s =6162 • • • bn^ s' 
if and only if there is a £ (E U {t})* such that s — cr— > s' and restr{a, E) = 
b\b2- ■ - bn- 

— s =616263 •• •=J> means that there are so,si,S2,... such that sq = s and 
Si-i =bi^ Si whenever 1 <i. 

The semantic equivalences that we will discuss will use the following abstract 
sets extracted from an LTS. The traces of an LTS are the sequences of visible 
actions generated by any finite execution that starts in the initial state. An 
infinite execution that starts in the initial state generates either an infinite trace 
or a divergence trace, depending on whether the number of visible actions in the 
execution is infinite. 

Definition 3 . Let L = {S, E, A, s) be an LTS. 

— Tr{L) = { (T S A* I s =(T=> } is the set of the traces of L. 

— Lnftr{L) = { ^ g E"^ | s } is the set of the infinite traces of L. 

— Divtr{L) = { cr g A* | 3 s : s =(t=> s A s — }, where denotes an 
infinite sequence of t- actions, is the set of the divergence traces of L. 

It is obvious that Divtr{L) C Tr{L) and, furthermore, if ■C G Lnftr{L) and 
a < then a g Tr{L). If an LTS (or just its set of states) is finite, then its 
infinite traces are determined by its ordinary traces, as was shown in for 
instance. 

Proposition 1 . Let {S, E, A, s) be an LTS. Lf S is finite, then 
Inftr{L) = { ^ g I Vcr : (cr < => CT g Tr{L)) } . 

We will later define some additional abstract sets. Tr, Divtr and Lnftr are 
actually functions that take an LTS as input. Any collection of such functions 
can be used to define a semantic model of, and an equivalence between, LTSs 
as is shown below. Please notice that we will talk about an equivalence between 
two LTSs only if the LTSs have the same alphabet. 

Definition 4 . Let fi, f2, . . . , fk be any unary functions that take an LTS as 
their arguments. 

— The semantic model of an LTS L induced by fi, f2, . . . , fk is the k-tuple 
(/i(L),/2(L),...,/fc(L)). 

— Assume that the LTSs L and L' have the same alphabet. The equivalence 
induced by /i , /2 , . . . , /fc is the equivalence ” defined as 
L^L'^ /i(L) = /i(L') A /2(A) = f 2 {L') A • • • A fk{L) = fk{L'). 

We will call it the /1-/2-. ■ .-/fc-equi valence. 

Almost every process algebra contains some parallel composition operator. In 
this article we use the version which forces precisely those component processes 
to participate in the execution of a visible action that have that action in their 
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alphabets. The invisible action is always executed by one component process at 
a time. We first define the product of LTSs as the LTS that satisfies the above 
description and has the Cartesian product of component state sets as its set of 
states, and then define parallel composition by picking the part of the product 
that is reachable from the initial state of the product. 

Definitions. Let L\ = (^i , ifi, Z\i, si) and L2 = {S2, S2, ^2, S2) he LTSs. 
Their product is the LTS {S' , S, A' , s) sueh that the following hold: 

- S' = Six S2 

- U = LJi U U 2 

~ {{si, S2), a, {s'l, s' 2 )) G A' if and only if either 

• a G {Si U {r}) — E2 and (si , a, s'^) G Ai A s'2 = S2, or 

• a G {S 2 U {r}) — El and (s 2 , a, s' 2 ) G A 2 A s'^ = Si, or 

• a G El n E2 and (si, a, s^) £ Z\i and (s2, a, £ A2- 

- s = (si, S2) 

The parallel composition L1WL2 is the LTS {S, E, A, s) such that 

- S' = { s £ y I 3(7 £ r* : s =(T^ s } 

- Z\ = Z\' n (S X (y U {r}) X S) 

The following formulae describe the traces, etc. of a parallel composition as 
functions of the traces, etc. of its component processes. Their proofs are omitted 
because they basically consist of dull systematic checking against the definitions 
given above. Similar formulae can be found in the literature, for instance in ^ 3 - 

Proposition 2 . Let Li = {Si, Ei, Ai, si) and L2 = {S2, E2, A2, §2) he LTSs. 

- Tr{Li\\L2) = 

{ (7 £ {El U E2)* I restr{a, Ei) G Tr{Li) A restr{a, E2) G Tr{L2) } 

- Divtr{Li\\L2) = 

{ (7 £ Tr{Li\\L2) I restr{a, El) G Divtr{Li) \/ restr{a, E2) G Divtr{L2) } 

- Inftr{Li\\L2) = {i G {EiU E2)‘^ \ 

restr{£, EA G Lnftr{Li) A restr{£, E2) G Tr{L2) U Lnftr{L2) V 
restr{^, Ei) G Tr{Li) A restr{^, E2) G Inftr{L2) } 

Another operator that is almost invariably found in process algebras in one 
form or another is hiding. 

Definition 6 . Let L = {S, E, A, s) he an LTS, and A any set of action names. 
The LTS hide Ain L is the LTS {S, E' , A', s) such that the following hold: 

- E' = E- A 

- (s, a, s') G A' if and only if 

a = T A 3b G A ■. {s,b, s') G A, or a ^ A A {s, a, s') G A. 



The traces, etc. of also hide Ain L are functions of the traces, etc. of L. 
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Proposition 3. Let L = {S, E, A, s) be an LTS, and let E' be the alphabet of 

hide A in L. 

— 7r(hide ^ in L) = { cr G E'* | 3p G Tr{L) : a = restr{p, E') } 

— Divtr {hide Au\L) = { cr G E'* | 3^ G Divtr{L)Ulnftr{L) : a = restr{f, E') } 

— Inftr{hide in L) = { ^ G E'^ | 3^ G Inftr{L) : f = restr{f, E') } 

An equivalence is a congruence with respect to a process operator 

op(Li, . . . , Ln) if and only if Li ~ A • • • A ~ implies op{L\, . . . , L„) ~ 
op{L[, . . L'^). We can reason from the above formulae that the Tr- Divtr- Inftr- 
equi valence is a congruence with respect to hiding and “||” Namely, if 
Tr{L) = Tr{L'), Divtr{L) = Divtr{L'), and Inftr{L) = Inftr{L'), then 

Divtrfhide A in L) = { cr G E'* | 3^ G Divtr{L) U Inftr{L) : a = restr{f, E') } 

= { cr G E'* I 3C G Divtr{L') U Inftr{L') : cr = restr{f, E') } 

= Divtr {hide A in L'), 

where E is the common alphabet of L and L' , and E' = E— A. Similar reasoning 
applies to Tr (hide A in L) and Inftr {hide A in T). One can also immediately 
show with the same technique that Tr(Ti||T2) = etc., given that 

Tr(Ti) = Tr{L[), etc. 

In general, if fi{op{Li , . . .,T„)), f 2 {op{Li , . . .,T„)), .. ., fk{op{Li , . . .,T„)) 
can be represented as functions of /i(Ti), /2(Ti), ..., fk{Li), ..., /i(T„), 
/2(T„), . . . , fk{Ln), then the equivalence induced by /i, /2, . . . , /fc is a con- 
gruence with respect to op. 



3 The Weakest Divergence- Trace-Preserving Congruence 

The weakest divergence-trace-preserving congruence is the equivalence that pre- 
serves all divergence traces of a process, and is the weakest congruence with re- 
spect to hiding and “| |” that has this property. In this section we will define even- 
tually nondivergent infinite traces and then show that the equivalence induced 
by them together with traces and divergence traces is the weakest divergence- 
trace-preserving congruence. Eventually nondivergent infinite traces are those 
infinite traces, of whose prefixes only finitely many are divergence traces. 

Definition 7. Let L = {S, E, A, s) be an LTS. The set of the eventually nondi- 
vergent infinite traces of L is Enditr{L) = Inftr{L) — Divcl{L), where 

Divcl{L) = { ^ G E^ I V(T : (cr < ^ 3cr' : cr < cr' < ^ A cr' G Divtr{L)) }. 

The abbreviation Divcl stands for “divergence closure”. The definition im- 
mediately implies that Enditr{L) C Lnftr{L). 

Proposition 4. Let L, L\ and L 2 be LTSs, and let E\, E 2 and E' be the al- 
phabets of Li, L 2 and hide A in T. 
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1 . Divtr (hide Ain L) = 

{<J G S'* I 3^ G Divtr{L) U Enditr{L) : a = restr{(, S') } 

2 . Enditrihide AinL) = 

{ ^ G S'"-^ I 3C G Enditr{L) : ^ = restr((, S')'( — Divdihide A in L) 

3 . Enditr{Li\\L 2 ) = {S,G{Si\JS 2 )'^ \ 

restr{^, Si) G Enditr(Li) A restr{^, S2) G Tr{L2) U Enditr{L2) V 
restr{^, Si) G Tr{Li) A restr{^, S2) G Enditr{L2) } — Divd{Li\\L2) 

4 -. The Tr -Divtr -Enditr -equivalence is a congruence with respect to hiding and 

11 A 

Proof. Because Propositionjgives that Divtr{hide A in L) = { cr G S'* | 3^ G 
Divtr{L) LI Inftr{L) : a = restr{(, S')}, and because Enditr{L) C Inftr{L), 
to proveHit suffices to show that whatever the strings in Inftr{L) — Enditr{L) 
contribute to Divtr (hide AinL) would be in the latter set anyway. These strings 
have arbitrarily long prefixes that are divergence traces of L. Let ( G Inftr(L) — 
Enditr{L), and a = restr((, S'). If a is infinite, then it is ruled out by the 
condition a G S'* in the right hand side ofH Otherwise, ( has a finite prefix 
such that a = restr{(i, S'). Because ( G Inftr{L) — Enditr{L), ( has a prefix (2 
such that Cl < (2 and (2 G Divtr {L). We have a = restr{C,i, S') < restr{C,2, S') < 
restr{(, S') = a, so a is included due to the part “3^ G Divtr (L) : . . 

In a similar way one can show that if C S Inftr(L) — Enditr(L), then restr((, 
S') G Divd (hide A in L) or restr{(, S') is finite. This implies H The part J 
is proven similarly, and Q follows from the previous parts and Propositions | 
andB □ 

The next two propositions show that any equivalence that preserves the diver- 
gence traces and is a congruence with respect to “||” and hiding must preserve 
also ordinary traces and eventually nondivergent infinite traces. 

Proposition 5. Let ” be a congruence with respect to 1|” such that L ~ L' 
implies Divtr (L) = Divtr (L'). Then L ^ L' implies Tr(L) = Tr(L'). 

Proof. Let L ~ L' , and let S be the common alphabet of L and L' . Let a = 
aiC2 • ■ • an G S* , and let Testi be the LTS which has S as its alphabet, and 
whose states, transitions and initial state are as is shown in Figure^ We have 
a G Tr(L) a G Divtr (L\\Testi) a G Divtr (L'\\Testi) a G Tr(L'), 

where the first and last logical equivalences are due to the structure of Testi, and 
the middle one follows from the congruence requirement and that the equivalence 
preserves divergence traces. □ 



Proposition 6. Let ” be a congruence with respect to 1 1 ” and hiding such 
that L ~ L' implies Divtr (L) = Divtr(L'). Then L ~ L' implies Enditr (L) = 
Enditr (L'). 

Proof. Let L ~ L', let if be the common alphabet of L and L' , and f = 
010203 • • • G Enditr(L). Because f G Enditr(L), it has a prefix 01O2 • • - o^ such 
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Fig. 1 . Two LTSs used in proofs 



that every divergence trace of L is either a prefix of ai02 • • -Qn-i, or not a 
prefix of Let a„ew be a symbol that is not in E, and let Test2 be the LTS 
that has E U {onew} as its alphabet, and whose states and transitions are as is 
shown in Figure^ We see that Onew € Divtr(hide E in (L| |Test2)). The congru- 
ence requirement implies that a„ew G Hi?;tr(hide if in (L'| |Test2)). From this we 
can conclude that either ^ G Inftr{L'), or Divtr(L') contains some p such that 
aifl2 • • • a„ < p < ^. In the latter case Divtr(L) = Divtr(L') would imply that p 
is a divergence trace of L that is a prefix of ^ but not a prefix of 0102 • • • a„_i, 
which is in contradiction with the choice of n. So we see that ^ G Inftr{L') and, 
furthermore, ^ ^ Divcl{L'). These imply that ^ G Enditr{L'). In conclusion, 
Enditr{L) C Enditr{L'). By replacing the roles of L' and L we see that also 
Enditr{L') C Enditr{L). □ 

Putting the results of this section together gives the following theorem. 

Theorem 1 . The Tr -Divtr -Enditr -equivalence is the weakest congruence with 
respect to “| | ” and hiding that preserves all divergence traces. 

Proof. The two preceding propositions say that any congruence that preserves 
divergence traces implies the Tr- Divtr- Enditr-eqaivalence. On the other hand, 
because this equivalence is a congruence, it is the required weakest congruence. 

□ 

The proof of Proposition J used an infinite LTS. Therefore, if we make the a 
priori assumption that all LTSs are finite, then the proposition cannot any more 
be used, at least not without a new proof. However, Proposition^remains valid 
in such a situation, because its proof did not assume infinite LTSs to be available. 
This fact allows us to show that Theorem ^bolds also if all LTSs are assumed 
to be finite, and even if hiding is removed from the set of operators with respect 
to which the equivalence must be a congruence. 

Theorem 2 . The Tr- Divtr -Enditr -equivalence is the weakest congruence be- 
tween finite LTSs with respect to “\\” and hiding that preserves all divergence 
traces. The claim remains valid if “and hiding” is removed. 

Proof. Let preserve the divergence traces and be a congruence with respect 
to “II”. By PropositionHit preserves also the traces. Proposition^ implies that 
if L ~ L', then Inftr(L) = { ^ G | Vcr : (cr < ^ cr G Tr{L)) } = { ^ G 
E“^ I Vcr : (cr < ^ (T G Tr{L')) } = Inftr(L'), so Enditr{L) = Inftr{L) — 
Divcl{L) = Inftr(L') — Divcl(L') = Enditr{L'). □ 
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The key message of the proof is that if the LTSs are finite, then the Tr-Divtr- 
Enditr-eqmvalence collapses to the TV- _Dzutr-equi valence. 



4 The Weakest Divergence-Preserving Congruence 

In the previous section we started with the requirement that the congruence 
must preserve all divergence traces. In this section our starting point is weaker: 
we assume only that the congruence preserves the one bit of information that 
tells if the process can diverge or not. As a result, we will end up with a strictly 
weaker equivalence. 

The equivalence will be built from those traces and infinite traces that do 
not have divergence traces as their prefixes, and from those divergence traces 
that do not have divergence traces as their proper prefixes. 

Definition 8. Let L be an LTS and S its alphabet. 

— diverges{L) = True if and only if Divtr{L) yf 0. Otherwise diverges{L) = 

False. 

“ If X C S* , then minimals{X) = {(rGA|Vp:(p<(T=kp^A)} 

— The set of the mimimal divergence traces of L is 
Mindiv{L) = minimals{Divtr{L)) 

— The set of the extended divergence traces of L is 
Divext{L) = { C S A* U \ 3p : p < f A p € Mindiv(L) } 

— The set of the nondivergent traces of L is 
Ndtr{L) = Tr{L) — Divext{L) 

— The set of the nondivergent infinite traces of L is 
Ndinftr(L) = Inftr(L) — Divext{L) 

In analogy with the previous section, we need to show that the Ndtr-Mindiv- 
Adm/tr-equivalence is a congruence. We just present the formulae that give 
Adtr(hide A in L), etc. as functions of Ndtr{L), etc., and skip their (boring) 
proof. 

Proposition 7. Let L be an LTS, and S' = S — A. 

— Adtr(hide A in T) = 

{ (j € S'* I 3p G Ndtr{L) : a = restr{p, S') } — Divext{L) 

— Mindiv {h.\de A m L) = 

minimals{{ a € S'* | 3^ G Mindiv{L) U Ndinftr{L) : a = restr{f, S') }) 

— N din ftr (hide Ain L) = 

{ ^ e S'^^ I 3^ G Ndinftr(L) : f = restr(f, S') } — Divext(L) 

— Ndtr(Li\\L2) = 

{(J G (Si U S 2 )* I restr(a, Si) G Ndtr(Li) A restr(a, S 2 ) G Ndtr(L 2 ) } 

— Mindiv(Li\\L 2 ) = minimals{{ a G (Si U S 2 )* \ 

restr(a, Si) G Mindiv(Li) A restr(a, S 2 ) G Ndtr(L 2 ) U Mindiv(L 2 ) V 
restr(a, Si) G Ndtr(Li) A restr(a, S 2 ) G Mindiv(L 2 ) }) 
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- NdinMLi\\L 2 ) = {Si U £’2)'" | 

restr{^, Si) G Ndinftr{Li) A restr{^, S2) G Ndtr{L2) U Ndinftr{L2) V 
restr{^, Si) G Ndtr{Li) A restr{^, S2) G Ndinftr{L2) } 

That the Ndtr-Mindiv-Ndinftr -equivalence is the weakest diverges {)-pTeserv- 
ing congruence is a direct consequence of the following three propositions. 

Proposition 8. Let ” be a eongruence with respect to “\ \ ” such that L ~ L' 
implies that diverges{L) = diverges{L'). Then L ~ L' implies Mindiv{L) = 
Mindiv{L'). 

Proof. Let a = aia2 ■ • ■ a„ G Mindiv{L). Let Testa have the same alphabet as L, 
and let its other components be as is shown in Figure^ Then diverges{L\\Test3) 
= True, so also diverges{L' \\JesX^) = True, from which we can reason that a has 
a prefix p such that p G Mindiv{L'). By repeating the argument with the roles of 
L and L' exchanged we see that p has a prefix a' such that a' G Mindiv{L). Due 
to the definition of Mindiv we have a' = a, so p = a and we get Mindiv{L) = 
Mindiv{L'). □ 



Testa Test4 




Fig. 2. Two more LTSs used in proofs 



Proposition 9. Let ” be a congruence with respect to “\ \ ” such that L ~ 
L' implies that diverges{L) = diverges{L'). Then L ~ L' implies Ndtr{L) = 
Ndtr{L'). 

Proof. Let a = 0102 ■ ■ ■ an G Ndtr{L). We use again Testi from Figure^ We see 
that diverges{L\\Testi) = True, so also diverges{L' \\JesXi) = True. This means 
that either a has a prefix that is a divergence trace of L', or cr G Ndtr(L'). 
Propositionjand the definition of Ndtr{L) rule out the former possibility. Thus 
a G Ndtr{L'). So Ndtr{L) C Ndtr{L'). By symmetry also Ndtr{L') C Ndtr{L). 

□ 

Proposition 10. Let ” be a congruence with respect to “| | ” and hiding such 
that L L' implies that diverges{L) = diverges{L'). Then L L' implies 
Ndinftr{L) = Ndinftr{L'). 

Proof. Let f = 010203 • • • G Ndinftr{L). It is the time to use Testi from FigureH 
Clearly hide if in (L| jTesti) diverges, so also hide if in (L'| | Testi) must diverge. 
This is possible only if either some prefix of ^ is a divergence trace of L' , or 
f G Ndinftr{L'). Like before. Proposition Hand the definition of Ndinftr{L) rule 
out the former possibility, so ^ G Ndinftr{L'). Like before, that f G Ndinftr{L') 
implies f G Ndinftr{L) follows now from symmetry. □ 
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Theorem 3. The Ndtr-Mindiv-Ndinftr-equivalence is the weakest congruence 
with respect to “\ \ ” and hiding that preserves the existence of divergence traces. 

We again used an infinite LTS, namely in the proof of Proposition Like 
in the previous section, this proposition can be replaced by another one if we 
restrict ourselves to finite LTSs. As a matter of fact, the weaker assumption that 
the LTSs are finitely branching can be used as well. 

Definition 9. An LTS {S, E, Z\, s) is finitely branching, if and only if for each 
s £ S and a £ S U {r}, the set { s' | (s, a, s') G A } is finite. 



Proposition 11. If L is a finitely branching LTS, then 

Ndinftr{L) = { ^ G 17“ | Vp : (p < ^ =k p G Ndtr{L)) }. 

Proof. The direction “f £ Ndinftr(L) =>” is obvious. For the opposite direction, 
let f = 010203 • • • G such that Wa ■. {a < f ^ a £ Ndtr{L)). We show next 
that the system has an infinite execution sq — 6i— *■ si — 62— > • • ■, where sq = s, 
such that resir (61 62 ■ ■ ■ , E) < ^. We do that by inductively demonstrating, for 
each n > 0, the existence of transitions sq -bi—>- si — 62— > • • • —bn^ Sn and an 
infinite set E„ of arbitrarily long finite executions, such that the executions start 
with So —bi—f ■ ■ ■ —bn—> Sn, the traces of the executions are prefixes of and 
So = s. 

A suitable Eq is obtained by picking, for each i > 0, any execution that has 
01O2 • • • Oi as its trace. Of course, sq is chosen to be s. 

Because En contains an infinite number of arbitrarily long executions, it 
contains infinitely many arbitrarily long executions that are longer than n. The 
(n+ l)th transition of any such execution is labelled either with r, or with the ak 
such that restr{b\ ■■ - bn, E) = a\ • ■ • ak-i. Because the LTS is finitely branching, 
there are only finitely many r- and Ofc-transitions that start in s„. Thus infinitely 
many arbitrarily long members of E„ must share the same (n + l)th transition 
Sn —bn+i^ Sn+i (where bn+i = r or bn+i = ak). The set of those members can 
be chosen as En+i. This concludes the induction proof. 

Our starting point included the assumption that all prefixes of f are nondi- 
vergent traces. Therefore, restr(bib2 ■ ■ ■ , E) cannot be finite, because otherwise 
the infinite execution sq — fei— > si — 62— > ■ • ■ would generate a divergence trace 
that is a prefix of f. As a consequence, restr{b\b2 ■ ■ ■ , E) = so f £ Ndinftr{L). 

□ 

Thus the Ndtr-Mindiv-Ndinftr-equivalence collapses to the Ndtr-Mindiv-equiv- 
alence if the LTSs are finitely branching. 

Theorem 4. The Ndtr-Mindiv- equivalence is the weakest congruence between 
finite LTSs with respect to “\ \ ” and hiding that preserves the existence of diver- 
gence traces. The claim remains valid if “and hiding” is removed, and/or “finite” 
is replaced with “finitely branching” . 
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5 Comparison to CSP-Equivalence 

Readers that are familiar with the CSP theory have certainly noticed that the 
Ndtr-Mindiv-Ndinftr-eqmvalence of the previous section has a striking similarity 
with the well-known failures-divergences equivalence of and we will soon 

make this similarity explicit. As we hinted in the introduction, the meanings that 
this equivalence assigns to the terms “failure” and “divergence” are different 
from the meanings used elsewhere, so we prefer to call this equivalence CSP- 
equivalence to avoid confusion. 

One important goal in the original definition of CSP-equivalence was to derive 
the meanings of recursive process equations directly — without first converting 
the processes to LTSs. In this way the need for an operational semantics was 
avoided. An analysis of the fixed points of process equations made such a defini- 
tion possible. However, the definition had the consequence that no information of 
the behaviour of a process after it has executed a divergence trace is preserved 
by CSP-equivalence. A process that has executed a divergence trace is called 
Chaos in CSP literature. We assume in this section that all LTSs are finitely 
branching, because otherwise CSP-equivalence would not be a congruence (Q 

p. 200). 

CSP-equivalence can be defined in the LTS framework as follows (B p. 191). 
We use the additional concept of stable failure. A stable failure of an LTS is a 
pair consisting of a trace of that LTS and a subset of its alphabet. It is possible 
to execute that trace such that the LTS ends up in a state where it can execute 
neither invisible actions (the state is thus stable), nor any actions from the given 
subset. Stable failures or related concepts are important in equivalences that 
preserve deadlock information and are congruences with respect to “||”. 

Definition 10. Let L = {S, S, A, s) be a finitely branching LTS. 

— sfail{L) = { (cr, A) G X 2^ I 3s G 5 : s=(r=^sAVa G Au{r} : ^(s— a^) } 
is the set of the stable failures of L. 

— CSPdivtr(L) = {(tGA’* \ 3p : p < a A p G Divtr{L) } 

— CSPfail{L) = sfail{L) U {CSPdivtr(L) x 2^) 

— CSP-equivalence is the CSPfail-CSPdivtr-equivalence. 

The following proposition implies that CSP-equivalence implies the Ndtr- 
Mindiv-eqaivalence. 

Proposition 12. Let L be a finitely branching LTS. 

1. Ndtr{L) = { cr I (cr, 0) G CSPfail{L) A cr ^ CSPdivtr(L) } 

2. Mindiv(L) = minimals{CSPdivtr{L)) 

Proof. Let a G Ndtr{L), and consider an arbitrary execution that produces 
a. Because Ndtr{L) n Divtr{L) = 0, any continuation of that execution with r- 
transitions eventually leads to a stable state. Thus (cr, 0) G sfail{L) C CSPfail(L). 
The definitions of Ndtr{L) and CSPdivtr{L) give that cr ^ CSPdivtr(L). On the 
other hand, if (cr, 0) G CSPfail(L) and cr ^ CSPdivtr(L), then (cr, 0) G sfail{L), 
so cr G Tr{L) and cr G Ndtr{L). Part^has now been proven. PartHfollows 
easily from the definitions. □ 
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In the opposite direction, clearly CSPdivtr(L) = {a G S* \ 3p : p < a /\ p G 
Mindiv{L) }. However, CSPfail(L) cannot be obtained from Ndtr{L), Mindiv{L) 
and Ndinftr(L), and the Ndtr-Mindiv-Ndinftr-equiy&lence does not imply CSP- 
equivalence. The first two LTSs in FigureHprove this. 




Fig. 3. Two pairs of Ndtr-Mindiv-Ndinfir-equivalent but not CSP-equivalent 
LTSs 



It would be interesting to find a small strengthening to the starting point of 
the construction of the weakest divergence-preserving congruence such that the 
result would be precisely CSP-equivalence. Unfortunately, the task seems dif- 
ficult. What Ndtr-Mindiv-Ndinftr-equivalence misses from CSP-equivalence is 
clearly related to the deadlock properties of LTSs. Unfortunately, it was shown 
in Q that any equivalence that preserves the possibility of deadlocking and 
is a congruence with respect to “||” must preserve sfail{L). CSP-equivalence 
preserves only those stable failures whose trace part has no divergence trace 
as a prefix. As a consequence, the requirement of deadlock-preservation would 
strengthen the equivalence too much. It seems that the requirement must some- 
how be formulated such that it, like CSP-semantics, does not say anything about 
the behaviour after executing a minimal divergence trace. 

A seemingly promising possibility would be to seek for the weakest “any- 
lock” -preserving congruence, that is, the weakest congruence that distinguishes 
systems that can stop executing visible actions from those that cannot. There are 
two ways in which a system can stop executing visible actions: deadlock (the sys- 
tem cannot execute anything), and livelock or divergence (the system executes 
infinitely many invisible actions) . The congruence needs not distinguish between 
these two reasons, unless the congruence requirement indirectly forces such a 
distinction to be possible. CSP-equivalence implies this congruence, because 
CSP-equivalence is itself a congruence, CSPdivtr(L) = 0 if and only if L has 
no divergences, and, in the case that L has no divergences, (a, S) G CSPfail(L) 
if and only if cr is a trace that leads to a deadlock. 

The proofs of Propositions^^] and ^Jcan be carried through with the any- 
lock-preserving congruence by first adding a new action Onew to the alphabets 
of Testa, Testi and Test 4 , and attaching a local Onew-loop (that is, the transition 
s— Anew— *-s) to each state of Testa, Testi and Test 4 . Furthermore, the LTSs La and 
L 4 in Figure Hare Ndtr-Mindiv-Ndinftr-equivalent but not any-lock-equi valent. 
As a consequence, the any-lock-preserving congruence is strictly stronger than 
the Ndtr-Mindiv-Ndinftr-eqaivalence. Indeed, with the Tests in FigureHone can 
prove that the any-lock-preserving congruence must preserve all stable failures 
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(aia2 • • • a„, {bi , . . . , bk}) such that no prefix of ai02 • • • a „5 is a divergence trace, 
where b is any element of {bi, ... ,bk}- This is slightly less than what we want 
— we would like to allow 0102 • • • a„6 (although not aiC2 • • • a„) to diverge. 





Fig. 4. An LTS for testing failures 



Unfortunately, the weakest any-lock-preserving congruence seems to be strict- 
ly weaker than CSP-equivalence. Namely, CSP-equivalence distinguishes be- 
tween Lg = hide {onew} in T3 and L4 = hide {onew} in L 4 , but it seems that 
the weakest any-lock-preserving congruence does not. Both of these two LTSs 
can stop executing visible actions by first executing a and then diverging. This 
remains true if the LTSs are put into an environment that hides a or eventually 
offers a. If the environment refuses a before offering it, then the systems can stop 
executing visible actions if and only if the environment can. It is thus difficult 
to think of an environment that would make it possible to distinguish between 
Lg and L4, when the only thing that can be observed is the ability of stopping 
executing visible actions. 

Theorem 9 . 3.1 (iii) of | characterises CSP-equivalence as the weakest “im- 
mediate-any-lock-preserving” congruence, that is, as the weakest congruence 
that distinguishes systems that can deadlock or diverge before exeeuting any 
visible aetions from those that cannot. This result is not fully satisfactory from 
our point of view, because its proof uses a somewhat unusual “relational re- 
naming” operator that can convert a transition to two transitions with different 
labels (see the errata that is in the www page of the book), whereas most of 
the other weakest congruence results rely only on ordinary parallel composition 
and hiding. Nevertheless, the result gives a characterisation of CSP-equivalence 
as the weakest congruence that satisfies a simple condition with respect to a 
well-known (large) set of operators. 

6 Conclusions 

We proved that the weakest livelock-preserving congruence is the Ndtr-Mindiv- 
Adm/tr-equivalence, and the weakest congruence that preserves all traces that 
lead to a livelock is the Tr-Divtr-Enditr-equivalence. We proved that Hoare’s 
well-known CSP-equivalence implies the Ndtr-Mindiv-Ndinftr-eqmvalence but 
is not the same. As an attempt to give CSP-equivalence a characterisation as 
a weakest congruence we investigated the “any-lock” -preserving congruence, and 
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found it to be (apparently strictly) between the Ndtr- Mindiv- Ndinftr-eqnivalence 
and CSP-equivalence. 

An interesting topic for future research would be to check how sensitive the 
results in this article are to the particular choice of operators. We state as a 
hypothesis that the Tr- Divtr- Enditr and Ndtr- Mindiv- Ndinftr-eqmvalences re- 
main congruences when other common process operators, such as choice, renam- 
ing, etc., are taken into account. 
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Abstract. We report on our experience in using the Isabelle/HOL the- 
orem prover to mechanize proofs of observation equivalence for systems 
with infinitely many states, and for parameterized systems. We follow 
the direct approach: An infinite relation containing the pair of systems 
to be shown equivalent is defined, and then proved to be a weak bisimula- 
tion. The weak bisimilarity proof is split into many cases, corresponding 
to the derivatives of the pairs in the relation. Isabelle/HOL automati- 
cally proves simple cases, and guarantees that no case is forgotten. The 
strengths and weaknesses of the approach are discussed. 



1 Introduction 

Observation equivalence (or weak bisimilarity) is a natural notion of behavioural 
equivalence; it has been extensively studied and applied in the literature (see, 
for instance, . There exist two general ways of showing that a system is 

observationally equivalent to its specification. One, semantically oriented, way 
is to follow the definition: exhibit a relation containing as a pair the system and 
its specification, and prove that it is a bisimulation. Conceptually, the difficult 
part is to exhibit the relation, while proving that the relation is indeed a bisimu- 
lation reduces to a (usually large) number of simple checks of the form “for each 
derivative there exists a matching derivative” . In order to apply this method 
the only requirement is to have a good intuition about the system. The second, 
syntactically oriented, way is to use algebraic (equational) reasoning: the system 
is proved to be observationally equivalent to the specification by exhibiting a 
(usually long) chain of equalities starting with the system and ending with the 
specification. In this case no bisimulation relation has to be guessed but deep 
insight into the proof system is required. 

Both ways can be applied to systems with a finite or infinite state space. In the 
second case, however, they cannot be completely automatized due to well known 
undecidability results. Still, algebraic techniques have been used to verify various 
infinite systems, including a variation of the ABP (see, for instance, BD)> 
tool support has been developed. In contrast, and to the best of our knowledge, 
the semantic way has not yet been mechanized for infinite systems, even though 
it could be very useful: In order to establish that a relation is a bisimulation, 
a large number of cases may have to be considered, even if the relation can 
be partitioned into uniformly representable infinite subsets. For instance, the 
infinite-state version of the alternating bit protocol (ABP) considered in [Mil89], 

Jos C.M. Baeten, Sjouke Mauw (Eds.): CONCUR’99, LNCS 1664, pp. 525-^^| 1999. 
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yields a relation consisting of the union of 12 groups of pairs, leading to 94 proof 
obligations of the form ‘the strong transition — ^ on one side can be matched 

by a weak transition on the other side’. Proofs by hand consider only a 
few cases (Milner considers 6), leaving the others as obvious or similar. This 
procedure is of course prone to errors; in fact, Milner remarks that his proof 
of the ABP is on the verge of what is tractable by hand, and he proposes to 
mechanize the procedure with the help of theorem provers. 



In this paper we follow Milner’s suggestion. We report on our experience with 



the mechanization in Isabelle/HOL 



of three examples concerning com- 



munication protocols, including Milner’s proof of the ABP. We examine to what 
extent the theorem prover is able to verify bisimulation relations automatically, 
and at what point the user has to provide additional information. We shall see 
that Isabelle automatically finds derivatives that are reachable by transition se- 
quences of length 0 or 1, while longer transition sequences and their derivatives 
have to be specified by the user. 

We have chosen examples from the area of communication protocols for sev- 
eral reasons. First, they are often used as ‘real-life’ examples to demonstrate the 
expressiveness and merits, or weaknesses, of concurrent frameworks and their 
behavioural or algebraic equivalences 



Second, they often serve 
as benchmarks for proof environments, especially for algebraic proof systems in 
theorem provers. Examples of mechanizations are presented in 
Finally, the bisimulation approach seems to be particularly suitable for commu- 
nication protocols (see the discussion at the end of the paper) . 

We model both communication protocols and their specifications in terms 
of labelled transition systems Q, using a concurrent normal form that usually 
suffices for reactive systems (see also B): a finite number of sequential, yet non- 
deterministic, value-passing processes (i.e., processes with infinite summation) 
is connected by parallel composition, with an embracing restriction hiding the 
internal actions. Note that other models like communicating automata, for in- 
stance, would have done as well. Note further that the systems and their specifi- 
cations need not even be described within the same model. Also, our experiments 
do not rely especially on Isabelle/HOL; we could as well have applied any other 
generic prover offering higher order logic, like PVS or Coq. 



The paper is organized as follows: In SectionHwe give a short overview of the 
features of Isabelle/HOL we are going to exploit in our case study. The process 
algebraical framework is introduced in Section H The main part of this work 
is Section H where we establish bisimulation relations for three examples, and 
discuss their proofs in Isabelle: we show that a channel that loses or duplicates 
messages is observationally equivalent to a channel that further — detectably 
— garbles messages but applies a filter to discard the garbled ones before deliv- 
ery. The channels are assumed to be of arbitrary length, thus both systems are 
infinite-state (Section The second example is a mechanization of Milner’s 
correctness proof for the Alternating Bit Protocol (ABP) Q in Isabelle/HOL. 
Also this example is infinite-state as, again, the channels are assumed to be of 
arbitrary length (Section^J. The last example deals with a specification of a 




Proof-Checking Protocols Using Bisimulations 527 



Sliding Window Protocol (SWP) in terms of a parallel composition of several 
channels applying the ABP It is a parameterized system (the parameter 
being essentially the window size) containing infinite-state components. Due to 
the compositionality of observation equivalence we can replace the ABP compo- 
nents with their specifications (i.e., with one-place buffers), and thus obtain a 
parameterized system of finite-state components (Section^^J. 



2 Isabelle/HOL 

Using the generic theorem prover Isabelle ^9 we conduct all proofs in its instan- 
tiation HOL for higher-order logic Proofs in Isabelle are based on unifica- 
tion, and are usually conducted in a backward resolution style: the user formu- 
lates the goal he/she intends to prove, and then — in interaction with Isabelle 
— continuously reduces it to simpler subgoals until all of the subgoals have been 
accepted by the tool. Upon this the goal can be stored in Isabelle’s database as 
a theorem. Isabelle offers various tactics, most of them applying to single sub- 
goals. The basic tactics allow the user to instantiate a theorem from Isabelle’s 
database so that its conclusion can be applied to transform a current subgoal 
into instantiations of its premises. Further there exist automatic tactics using 
the basic tactics to prove given subgoals according to different heuristics. These 
heuristics have in common that a provable goal is always transformed into a set 
of provable subgoals; ‘unsafe’ rules (rules that might yield unprovable subgoals) 
are only applied if none of the resulting subgoals has to be reported to the user 
as currently unproved. Besides these classical tactics Isabelle offers simplification 
tactics based on algebraic transformations. The most general and powerful tactic 
is Auto_tac which interweaves classical and simplification tactics, and reasons 
about all subgoals of the current proof state simultaneously. 

Isabelle’s instantiation for higher-order logic offers a number of modules, 
called theories, including among others frameworks for arithmetics, sets, and 
lists. These modules include databases with basic theorems that have already 
been proved, and that can be referenced by the user when working with the 
modules. The arithmetic module of Isabelle/HOL is of particular interest, as it 
allows the user to give inductive definitions. Note that transition systems are de- 
fined inductively, i.e., as the least set satisfying certain axioms and rules. Isabelle 
then automatically generates various forms of the transition rules including case 
exhaustions stating all reasons that may have led to a given transition; e.g., 
“P II Q R because P P' and R — P' \\ Q, or . . .”. Further it gener- 
ates tactics for structural induction. Although Isabelle/HOL offers a framework 
for coinduction, we do not make use of it, sticking to the original definition of 
observation equivalence given in terms of a predicate over binary relations. 

Isabelle is a generic theorem prover, i.e., the user can define theories of his/her 
own. Such theory modules consist of two parts: in a definition part new types, 
constants, and rules for the constants are introduced; in a second part theorems 
are proved and added to the theorem database. A preamble to the definition 
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part lists the theories upon which the new module is based; these can include 
built-in as well as user-defined theories. 

3 Transition Systems and Observation Eqnivalence 

Reactive systems generally consist of a finite set of process cormonents which, 
according to their states, send and receive data along connection^^etween. them 
(see also |). 

Let yl be a countably infinite set of signals (visible actions) ranged over by 
a,b, . . .. Further, in order to transmit messages of some (unspecified) type a we 
introduce a countably infinite set of connections {a)Con ranged over by cl, c2, . . .. 
The type of the connections is parameterized over the type variable a, thus we 
use {a)Con instead of simply writing Con. The set of visible labels, {a)C is given 
by all inputs a and c{v), and outputs a and c{v) of signals and messages along 
the connections. We use Act U {d | a G rl} to denote the set of inputs and 
outputs on signals. 

(States of) systems are defined inductively in terms of (states of) their com- 
ponents Pi — given in terms of constant identifiers, and representing the basic 
units — and parallel compositions between them. We use the term processes 
to refer to components and systems equally. Formally, process components and 
states have the following syntax: 

{a)VC ::= Pi{xi) | ... | Pn{xn), 

{a)S ::= {a)VC \ {a)S || {a)S, 

where the Xi are variables of type a. In the Isabelle formalization of the protocols, 
components are sequential yet possibly nondeterministic processes, where each 
state is denoted by a constant of its own. 

We use a Plotkin-style transition semantics Q given in terms of a strong 
transition relation -^C (a)5 x {{a)C U {r}) x (a)5. The transition rules are 
defined inductively via axioms for the components in {a)PC (describing the 
input and output as well as the silent behaviour of the components), and rules 
for parallel composition including communication, where /i G (a)£U {r}, a G T, 
c G {a)Con, and v G a: 

P^P' PA^P' Q^Q' P^-^P' Q^Q' (^3 

PWQ^P'WQ PWQ^P'WQ' PWQ^P'W Q' 

The rules P2, C2, and C4 are symmetric versions of PI, Cl, and C3. 

Note that the transition rules are defined inductively, i.e., the transition 
relation is defined as the least set satisfying the given axioms and rules (cf. 
Section^. This implies that besides the constructive rules such as PI, P2, or 



^ We do not use the term channel here, in order to avoid ambiguities with the channels 
used by the protocols. 
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Cl, one can give analysis rules telling for a given transition how it can be derived. 
Let, e.g., a be a signal, and let P and Q be processes. Then, 

P\\Q^R 

(3P' . R=P'\\Q A P^P') V {3Q' . R=P\\Q' A Q ^ Q') 

is such a case analysis. The general analysis rule comprising silent steps is more 
complicated, as it further considers possible communications between the com- 
ponents. 

We model inputs in an early style, i.e., input rules are of the form Vw. P 
P'{w). When formalizing the transition systems in Isabelle the user need not 
state the V-quantification explicitely but applies a formal parameter for which the 
quantification is then automatically provided by the prover. Note that Isabelle 
is able to distinguish between constants and formal parameters. 

In order to abstract from internal activities of the systems (like, e.g., commu- 
nications, idle loops, or the processing of data), we use a weak transition relation 
=^C (of)5 X {{a)C U {t, e}) x (a)5 which allows for arbitrarily many r-steps 

before and after each transition. As usual (~^)* denotes the reflexive 

transitive closure of (strong) internal steps. Below we give the rules for intro- 
ducing e, lifting strong transitions to weak ones, and for the expansion of weak 
transitions by silent steps, where v G {a)P U {r}, and ^ G (a)>C U {r, e}. 



P 
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P P 
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Further there exist weak versions of the rules PI, P2, Cl, C2, C3, and C4. 

We use the common abbreviation /i to denote e if /i = r, and ^ if /i is a 
visible label. 

Isabelle allows a mixflx representation of constants (like actions, processes, or 
transitions) . Exploiting this we can write P - [c<v>] -> P ’ for an output of value 
V along channel c, or P - [c#{v>] -> P ’ (v) for an input of v, or P - [tau] -> P ’ 
for a silent transition. We write P = [u] => P ’ for a weak transition with label u. 

So far we have not distinguished between internal and external signals or con- 
nections. In order to avoid an additional restriction operator, for which we would 
have to formalize additional rules in Isabelle, we defer the matter of interface to 
the definition of bisimularity. Let A C A be a set of signals, and C C {a)Con a 
set of connections of type a. Then we define (a)£|^^ to contain all possible 
inputs and outputs on signals in A, as well as on connections in C . 



Definition 1 (Observation Equivalence). A relation TZ C (a)5 x (a)5 is 
a (weak) bisimulation wrt. (A, C) G A x {a)Con, if for all {P,Q) G TZ and 
G (a)£|^^ U {r}, the following holds: 

— If P P', for some P', there exists a Q' s.t. Q Q' and (P', Q') G TZ. 

— If Q Q' , for some Q' , there exists a P' s.t. P P' and (P', Q') G TZ. 
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Two processes P and Q are observation equivalent wrt. (A,C), written P^(a,c)Q^ 
if there exists a weak bisimulation containing (P, Q). 

Let \ be the restriction operator from CCS, extended to be applicable both 
to signals and connections. Though we find it convenient not to have a restric- 
tion operator on (a)5, we are still close to the original notion of observation 
equivalence. Let TZ he a bisimulation wrt. {A^ C). Then 

n' = {{P\{A - A, (a)Con - C),Q\(A - A, (a)Con - C) | (P, Q) € Pj 

is a weak bisimulation in the sense of Q. This is due to observation equivalence 
being a congruence wrt. restriction. Further every bisimulation in the sense of 
H is a bisimulation wrt. (/I, (a)Con). This implies that two systems are obser- 
vationally equivalent in the usual sense iff they are so in our sense, allowing us 
to adapt congruence properties and proof techniques without having to prove 
them explicitly in our framework. 



4 A Case Study 

In all of the following examples the sets of labels that are visible to the observer 
either consist of signals, or of messages sent alog channels. We can thus project 
observation equivalence wrt. (4, C) either to observation equivalence wrt. A, 
written or to observation equivalence wrt. C, written 

All proofs in this section follow a uniform pattern: The user sets up the 
systems and their specifications by giving their states and transition rules in one 
module. From this definition Isabelle computes sets of rules that can be used to 
reason about the transitions in a constructive as well as in an analysing style; 
further Isabelle generates schemes for structural induction (cf. Sections HH. 
Another module contains as a predicate the criterion for a relation to be a 
bisimulation. The bisimulation relation itself is defined and proved in a third 
module which relies on the two previous modules. Often a further module is 
necessary to provide additional theorems about the data types used to model 
the transition systems (e.g., about insertion into or deletion from the finite lists 
representing communication channels) . 

The proof that a relation is a bisimulation usually falls into the following 
parts: in a separate theorem for each label we prove symbolically for every 

(P, Q) € P that if P AL. p' ^ for some P\ there exists a Q' s.t. Q Q' 
and (P', Q') G P\ and similarly for Q. Then the main theorem of each theory 
stating that P is a bisimulation is instantiated according to Definition J and 
reduced to the above proof obligations. This, including the necessary swapping 
of quantifiers, is done automatically by Isabelle. 

In the following we present three examples demonstrating the generality of 
the approach: in the first example we compare two infinite-state systems that 
are both non-deterministic; the second example deals with quite a large com- 
posed system containing non-deterministic components and a small deterministic 
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specification; in the third example we consider a composed system which is pa- 
rameterized wrt. the number of its components. The three examples are closely 
related, e.g., the system studied in our third example contains as its components 
the second one which can be replaced by its specification due to the composition- 
ality of observation equivalence. It should be noted that, unlike in many proof 
mechanizations in theorem provers, our Isabelle proofs are not much different 
from proofs as one would perform them by hand. Yet, what is different is the 
emphasis put on different parts of the proofs. Whereas in proofs by hand one has 
to be careful not to forget about any strong transition, Isabelle automatically 
takes care of this. On the other hand, an Isabelle user has to spend a lot of time 
interacting with the tool in order to prove very simple theorems about the data 
structures manipulated during a transition. In both cases the weak transitions 
have to be found by the person conducting the proof. However, presenting them 
to Isabelle is not much more time-consuming than writing them down on a piece 
of paper, and often it even suffices to provide the prover with a scheme so to 
enable it to generate the transitions automatically. 



4.1 Faulty Channels of Unbounded Size 

Our first example is taken from It is of interest to us as it compares two 
indeterminate infinite-state systems operating on similar data structures. Most 
of the resulting proof obligations refer to strong transitions in weak disguise. 

Consider two channels of unbounded capacity, say K and L. We model their 
contents by finite lists of arbitrary length. Both may lose or duplicate messages, 
but K is further able to garble data. This is reflected by an additional bit attached 
to each message in K. 



"L(s) 

"L(s @ a # t) 
"L(s @ a # t) 
"L(s (5 [x] ) 



-[ci#{x}]-> 

- [tau] -> 

- [tau] -> 

- [co<x>] -> 



L(x # s)" 

L(s @ t)" 

L(s @ a # a # t)" 
L(s)" 



(* accept *) 
(* lose *) 

(* dupl *) 

(* deliver *) 



"K(s) 

"K(s (§ a # t) 

"K(s @ a # t) 

"K(s @ (x, b) # t) 
"K(s @ [(x, b)]) 



- [ci#{x>] 

- [tau] -> 

- [tau] -> 

- [tau] -> 

- [cf<(x, 



-> K((x, True) # s)" 

K(s @ t)" 

K(s @ a # a # t)" 

K(s @ (x, False) # t) 

b)>]-> K(s)" 



(* accept *) 
(* lose *) 

(* dupl *) 

(* garble *) 
(* deliver *) 



A filter attached to K delivers correctly transmitted messages and discards 
garbled ones. We consider a version of a filter that discards garbled messages 
immediately when it receives them, but may arbitrarily lose or duplicate a mes- 
sage once it has accepted it. A filter that delivers all messages it has accepted 
would not lead to a system observationally equivalent to L: a state in which a 
message has just been transferred to the filter could not match a losing action 
by L. 



Filter 

Filter 



-[cf#{(x, True)]-]-> FFfx, Of 
-[cf#{(x, False)]-]-> Filter" 



(* accept *) 
(* discard *) 
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Fig. 1. Components of the ABP 



FF{x, 0} 


- [co<x>] -> 


Filter" 


(* deliver *) 


FF{x, Sue n} 


- [co<x>] -> 


FFfx, n>" 


(* deliver *) 


FF{x, 0} 


- [tau] -> 


Filter" 


(* lose *) 


FF{x, Sue n} 


- [tau] -> 


FFfx, nj" 


(* lose *) 


FF{x, n} 


- [tau] -> 


FFfx, Sue nj" 


(* dupl *) 



By demonstrating that the relation BS_Filter, given below, is a bisimulation 
relation wrt. {ci, co}, we can conclude that L « (K || Filter)\{cf }. 



BStr == {(P, Q) . (EX s 

k 

BSdl == {(P, Q) . (EX s X n . 

& 

BS_Filter == BStr Un BSdl" 



P = K(s) I I Filter 
Q = L(map fst (filter snd s)))J" 
P = K(s) I I FF{x,n} 

Q = L((map fst (filter snd s)) 

@ (replicate (Sue n) x)))J 



In the relation BS_Filter, L contains lists which are obtained from those 
stored in K by first eliminating all garbled messages (filter snd s; garbled 
messages are tagged with a False bit), and then projecting all elements of the 
resulting list to their first components (map fst). The list denoted by 

replicate (Sue n) x, models the n + 1 copies of message x stored in the 
filter. 

Proving that BS_Filter is a bisimulation is not difficult, yet one has to 
take care of the lists of messages in the channels. As mentioned above most 
of the involvement by the user goes into theorems telling, for instance, how 
map fst (filter snd s) looks like if an element has been lost from s. Pro- 
vided with these theorems, however, Isabelle proves by one single application 
of Auto_tac that BS_f ilter is a bisimulation. In particular, the user does not 
have to find the weak transitions. 

The proof script contains less than 300 lines, and has been set up within a 
few hours only. 



4.2 The Alternating Bit Protocol 

The Alternating Bit Protocol (ABP), introduced in Q, is a well-established 
benchmark for proof methodologies implemented in theorem provers (see, for 
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instance, It turns unreliable channels into reliable communication 

lines. We consider an infinite-state variant in which the channels can hold ar- 
bitrarily many messages. The model as well as the outline of the proof follow 

B- 

The behaviour of the ABP can be specified in terms of a one-place buffer. 
This allows to abstract from the data to be transmitted. Note however that 
including them would not further complicate the proof, neither by hand nor in 
a theorem prover. 

"accBuff - [accept] -> delBuff" (* accept a message *) 

"delBuff -[deliver]-> accBuff" C* deliver a message *) 



The ABP is designed around two faulty channels — one transmitting the 
messages and the other returning acknowledgements — a sender^ and a replier 
module. A schematic view is given in Figure^ 

The channels, Trans and Ack, may both lose or duplicate but never swap 
messages. They behave exactly like channel L in the previous Section. We refer 
to the input and output connections of Trans as cs and ct, and to those of Ack 
as cr and ca, respectively. 

The sender module continuously accepts messages from the environment, 
transmits them over the channel Trans, and waits for an acknowledgement along 
Ack, before accepting a new message. If an acknowledgement does not arrive 
within a certain time the sender assumes that the message has been lost and 
resends it. Yet, as the message may only have been delayed, the sender tags all 
messages with a bit so that new messages can be distinguished from old ones. An 
alternating bit suffices for this purpose, as the messages may not be swapped. 



"Accept(b) -[accept]-> Send(b)" 
"Send(b) -[cs<b>]-> Sending(b)" 
"Sending(b) -[tau]-> Send(b)" 
"Sending(b) -[ca#{b]-]-> Accept (~b)" 
"Sending(b) - [ca#{~b]-] -> Sending(b)" 



(* accept a message *) 

C* send message *) 

(* timeout *) 

(* correct acknowledge *) 
(* old acknowledge *) 



After having delivered a message to the environment, the replier module 
repeatedly transmits tagged acknowledgements to the sender until a new message 
arrives. 



"Deliver(b) - [deliver] -> Reply (b)" 
"Reply (b) -[cr<b>]-> Replying (b)" 

"Replying(b) -[tau]-> Reply (b)" 
"Replying(b) - [ct#{~b]-] -> Deliver(~b)" 
"Replying (b) -[ct#{b]-]-> Replying (b)" 



(* deliver a message *) 

C* acknowledge *) 

(* timeout *) 

(* receive new message *) 
(* receive old message *) 



The bisimulation relation, BS_ABP, is the union of the relations BSaccept, in 
which the processes are potentially able to accept a new message, and BSdeliver, 
in which the processes may deliver the current message. In every channel there 
are at most two types of messages or acknowledgements: those that are currently 
being delivered, and possibly copies of the previous ones. The finite lists are 
thus either of the form x", or a;”?/"*; in Isabelle this is expressed by using the 
replicate operator defined in the built-in module for finite lists. 
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"BSaccept == {(P, Q) 
((EX b n p 

I (EX b n p 

I (EX b m p q . 

I (EX b m p q . 

I (EX b m p q . 

I (EX b m p q . 

"BSdeliver == {(P, Q) 
((EX b m p 

I (EX b m p 

I (EX b m n p . 

I (EX b m n p . 

I (EX b m n p . 

I (EX b m n p . 



Q = accBuff & 

P = Accept (~b) I I Trans (replicate n b) I I 
Ack (replicate p b) I I Reply (b)) 

P = Accept (~b) I I Trans (replicate n b) I I 
Ack (replicate p b) I I Replying (b)) 

P = Send(~b) I I Trans (replicate m (~b)) I I 
Ack(replicate p b @ replicate q (~b)) I I 
Reply (~b) ) 

P = Send(~b) I I Trans (replicate m (~b)) I I 
Ack(replicate p b @ replicate q (~b)) I I 
Replying (~b)) 

P = Sending(~b) I I Trans (replicate m (~b)) I I 
Ack(replicate p b @ replicate q (~b)) I I 
Reply (~b) ) 

P = Sending(~b) I I Trans (replicate m (~b)) I I 
Ack(replicate p b @ replicate q (~b)) I I 
Replying('b)))}" 



. Q = delBuff & 

P = Send(~b) I I Trans (replicate m (~b)) I I 
Ack(replicate p b) I I Deliver (“b) ) 

P = Sending(~b) I I Trans (replicate m (~b)) 
Ack(replicate p b) I I Deliver (“b) ) 

P = Send(~b) I I 

Trans (replicate m (~b) @ replicate n b) 
Ack (replicate p b) I I Reply (b)) 

P = Send(~b) I I 



P 



P 



Trans (replicate 
Ack (replicate p 
Sending (~b) I I 
Trans (replicate 
Ack (replicate p 
Sending (~b) I I 
Trans (replicate 
Ack (replicate p 



m (~b) @ replicate n b) 
b) I I Replying (b)) 

m (~b) @ replicate n b) 
b) II Reply (b)) 

m (~b) @ replicate n b) 
b) II Replying (b)))>" 



I I 
I I 



"BS_ABP == BSaccept Un BSdeliver" 

To show that BS_ABP is indeed a bisimulation wrt. {accept, deliver} we 
follow our usual scheme. As a typical example consider the case where the ABP 
performs a strong accept transition. We have to prove the obligation, if (P, Q) 
G BS_ABP and P - [accept] -> P ’, then there exists a Q ’ s.t. Q = [accept] => Q’, 
and (P’ , Q’) G BS_ABP. Out of the six subrelations in BSaccept, differing in 
the shape of P, Isabelle automatically extracts the first two as those in which P 
can do an accept. It remains to show that in both cases the resulting process 
P’ fits the shape of P in the third and fourth subrelations of BSdeliver, the 
difficulty being that the lists of messages in the channels look differently from 
those in BSaccept. However, once provided with the necessary theorems about 
finite lists, Isabelle manages to complete the proof fully automatically. 

Another interesting example is the reverse case where Q - [accept] -> Q ’ , 
and P = [accept] => P ’ . For the third through sixth case of BSaccept the user 
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Fig. 2. A Specification of the SWP 



has to provide suitable sequences of weak transitions leading to the acceptance of 
a new message. In all of the cases we can apply the following scheme: remove all 
messages from Trans and Ack (that this is possible can be shown by an induction 
on the length of the lists stored in the channels), then have the replier transmit 
an acknowledgement to the sender, and finally execute the accept transition. 

For the invisible transitions of the ABP we essentially have to show that 
they yield derivatives that still lie within BSaccept or BSdeliver, respectively. 
As for each of the processes there are several possibilities, we examine each of the 
twelve cases separately. Note, moreover, that a simultaneous treatment of all the 
cases may exceed the capacity of the prover, as also the hypothetical cases like 
“component Ack communicates with component Trans” have to be considered, 
resulting in an exponential blow-up of cases. Again, provided with the necessary 
theorems about lists, Isabelle proves the cases fully automatically. 

The proof script contains about 800 lines. As a large part of it consists 
of theorems about the finite lists used in the channels, some experience with 
theorem provers is necessary to set up the proofs. The bisimulation part itself 
contains a bit more than 400 lines, and can be set up within a few days by a 
user experienced both in the bisimulation proof method and theorem proving. 
Notice, however, that this is only possible if the concept of the proof has already 
been clear before Isabelle is brought into play. 

4.3 A Specification of the Sliding Window Protocol 

In a specification of the Sliding Window Protocol (SWP) is presented, given 
by the parallel composition of n communication lines which in turn use the ABP 
on faulty channels. Figure H gives a schematical view of the system. Incoming 
messages are cyclically distributed to the communication lines by a distributor 
module, and are recollected and delivered by a collector module. The system 
specifies the behaviour of an SWP with input and output windows of equal size. 
A far simpler specification consists of an (n + 2)-place buffer, if n is the number 
of parallel channels in our implementation (the distributor and the collector 
contribute with one place each). 

We now reason that an implementation using n copies of the ABP and an 
(n-T 2)-place buffer are observation equivalent. Applying the compositionality of 
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observation equivalence, we can use one-place buffers instead of the n copies of 
the ABP. We split the proof into three parts, again exploiting the composition- 
ality of observation equivalence. 

This time we cannot abstract from data, as the system need not deliver a 
message before accepting a new one.^e have to guarantee that messages are 
not swapped. The one-place buffers E^are thus of the following form, where cii 
and coi are denoted by ci{i} and co{i>, respectively: 

"EB{i,NoneJ - [ci{i}-#{x}-] -> EBfi.Some xj" (* accept *) 

"EB{i,Some x} - [co{i}-<x>] -> EBfi .NoneJ" (* deliver *) 

Distributor and collector possess parameters h and 1 telling to which of the 
buffers a message is to be sent, or from which one it is to be taken. Each such 
transition increments the parameters by 1 modulo the number of buffers, yielding 
the cyclic behaviour of distributor and collector. 

"D{n, h. None} -[ca#{x}]-> Dfn, h, Some x}" (* accept *) 

"D{n, h. Some x} - [ci{h}<x>] -> Dfn, h f+n} 1, None}" (* distr *) 

"C{n, 1, None} - [co{l}#fx}] -> Cfn, 1 f+n} 1, Some x}" (* collect *) 

"C{n, 1, Some x} - [cd<x>] -> Cfn, 1, None}" (* deliver *) 

In the sequel we discuss the three parts of the proof: 

(1) We need a finite representation of the n one-place buffers put in parallel. 
They can be described by a single component AB containing an array with n 
elements, one for the place of each buffer. 

" [ I i < length xs ; xs ! i = None I ] ==> 

ABfxs} - [ci{i}#{x}] -> ABfxs [i := Some x]}" (* accept *) 

" [ I i < length xs ; xs ! i = Some x I ] ==> 

AB{xs} - [co{i}<x>] -> ABfxs [i := None]}" (* deliver *) 

The first rule reads as follows: for all positions numbered 0 < i < n (with n 
= length xs), if the position is empty (xs ! i = None), then AB can read a value 
on connection ci{i} and store it in place i. The second rule is the corresponding 
rule for destructive output. 

In order to show that a parallel composition of n one-place buffers and an 
array buffer of size n are observation equivalent wrt. {ci{i} | 0 < i < n}U 
{co{i} I 0 < i < n}, we show that for every array of length n, there is a 
bisimulation containing (EB{ (n) , None} II ABfNone^}, ABfNone^"'’^}): 

"BS_Buff Induct == {(P, Q) . 

(EX xs X . P = (EB{ (length xs) , x}) I I ABfxs} & 

Q = AB{xs @ [x]})}" 

Exploiting the compositionality of observation equivalence, we can conclude 
by induction on the number of parallel components that 

EB{0, None} || . . . || EB{(n - 1) , None} ~|ci{i} co{i}} ABfNone’^}. 

^ EB stands for ‘element buffer’, as opposed to the ‘array buffer’ AB introduced later. 
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(2) As a consequence of (1) our implementation reduces to a system consisting 
of a distributor, a collector, and an array buffer AB of size n. We proceed by 
comparing this system to another system given by a variation of an n-place 
buffer BP, and two barrier one-place buffers, one attached to its ‘front’ (FB), and 
another attached to its ‘back’ (BB). Internally the n-place buffer is organized like 
the array buffer, yet it possesses only one input and one output connection, and 
stores and retrieves messages in a cyclic order; the parameters h and 1 indicate 
where to store messages and from where to retrieve them. 

"cs!h = None ==> BP{h, 1, csf - [ci#fx}-] -> 

BP{h {+length(cs)]- 1, 1, cs [h := Some (x)] }■" 

"cs!l = Some(x) ==> BPfh, 1, csf -[co<x>]-> 

BP{h, 1 {+length(cs)J 1, cs [1 := None]}-" 

"FBlNone} -[ca#{x}-]-> FB-[Some xf" 

"FBiSome x} -[ci<x>]-> FB-fNone}-" 



(* accept *) 

(* deliver *) 

(* accept *) 
(* deliver *) 



"BBfNone} -[co#{x}-]-> BB-fSome xl" (* accept *) 

"BBfSome x} - [cd<x>] -> BB-fNone}-" (* deliver *) 

We can show that D{n, h, None} || ABfNone^} || C{n, 1, None} and 
FBfNone} || BP{h, 1, None^} || BBfNone} are observation equivalent wrt. 
{ca, cd} by exhibiting the following bisimulation relation: 

"BS_SWP == {(P, Q) . (EX xs X y h 1 . 

h < length xs & 1 < length xs & 

P = (FB{x}) II (BP{h, 1, xs}) II BB-Cy} & 

Q = (Dflength xs, h, x}) I I (AB-[xs}) I I C-flength xs , 1, y})}" 

(3) To complete the proof we have to show that BP behaves like an n-place 
buffer, nB, modelled as follows: 

"length(s) < n ==> nB{n, s} -[ci#-[x}]-> nB-fn, s @ [x]}" 

"nB{n, X # s} -[co<x>]-> nBfn, s}" 

A list None^ o s o None^ stored in BP is reflected in nB by a list s (see BS1_1 
below); s is obtained from s by mapping all elements Some x to x (s does not 
contain None anyway); a list si o None^ o S 2 in BP is reflected in nB by §2 o si (see 
BS1_2 below). The bisimulation relation looks as follows: 

"BS1_1 == {(P, Q) . (EX n cs h 1 . 

P = nB{n, map the cs} 

& Q = BP{h, 1, replicate 1 None @ cs @ replicate (n - h) None} 
& list_all ("/, X . X ~= None) cs 
& h < n 

& 1 -H length cs = h)}" 

"BS1_2 == {(P, Q) . (EX n csl cs2 h 1 . 

P = nB{n, map the cs2 <S map the csl} 

& Q = BP{h, 1, csl <S replicate (1 - h) None @ cs2} 

& list_all ("/, X . X ~= None) csl 
& list_all ("/, X . X ~= None) cs2 
& length csl = h 
&h<=l&l<n 
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& 1 + length cs2 = n)}" 

"BS_nBuffer == BS1_1 Un BS1_2" 

The proof script for the three bisimulations verifying the SWP contains about 
600 lines, and has been set in less than two weeks. The proofs of (1) and (2) are 
rather straightforward, as P and Q behave similarly. Isabelle deduces the proofs 
automatically without the user having to split them into single theorems covering 
the obligations. Note that the weak transitions are directly derivable from strong 
ones applying the rules TE and SW (see Section^, thus need not be given by 
the user. Also, almost no additional results about the data types have to be 
provided by the user. The most challenging part concerning the mechanization 
is (3), as here cyclic structures are mapped to linear lists. The corresponding 
theorems make up for nearly two thirds of the proof. For these proofs certain 
expertise in theorem proving is indispensable. 

5 Discussion 

In the previous section we have presented a mechanization of the verification of 
communication protocols in a process-algebraical framework based on exhibiting 
bisimulation relations. In this section we discuss several questions about our ap- 
proach, going from the more general (is a bisimulation framework appropriate?) 
to the more concrete (how to further improve our techniques). 

Are Bisimulation Techniques Suitable? Bisimulations are often argued to be too 
discriminating for many practical applications. In the area of communication 
protocols this seems to be a lesser problem. Due to the rather deterministic 
behaviour of the specifications of communication protocols, observation and fair 
testing equivalence ^3 — sometimes even trace equivalence | — coincide, 
no matter how the implementations of the protocols look like. Thus, in these 
cases one can profit from the bisimulation proof methodology to show the, usually 
less discriminating, notions of testing or trace equivalence. 

Bisimulation equivalence does not preserve liveness properties since, e.g., 
one cannot infer from Q being divergence-free that necessarily P is so too, even 
if they are weakly bisimilar. However, in the area of communication protocols 
nondeterminism often models probabilistic choice (a message can be lost with a 
certain probability), and so it is often reasonable to assume that the system does 
not remain in any r-loop indefinitely (as for instance in the ABP). Under this 
assumption bisimulation peserves liveness properties. It should also be mentioned 
that our approach can be extended to stronger bisimulation-like equivalences 
preserving liveness properties (see, for instance, B|). 

Comparison with Algebraic Techniques. Algebraic techniques are generally con- 
sidered more elegant. Furthermore, it has been claimed that they succeed in cases 
where it is hard to find a bisimulation relation Q. Their main drawback with 
respect to our approach is that they require deep insight into a proof system for 



Proof-Checking Protocols Using Bisimulations 539 



bisimulation; on the contrary, exhibiting a bisimulation relation requires only 
good intuition about the system. A further point is that algebraic techniques 
usually require the transformation of a system into its normal form applying 
expansion, which in the presence of parallel compositions leads to an explosion 
of the size of the process. The degree of the explosion corresponds to the number 
of proof obligations the system produces in a bisimulation relation. A direct ap- 
proach has the advantage that the explosion problem can be attacked by splitting 
the proof obligations, as we have done it in Section^3 



Keeping Bisimulations Manageable. Keeping the size of relations manageable is 
an important problem of our approach. Notice, for instance, that the description 
of BS_ABP already takes almost a page. A first solution is to use the composition- 
ality of observation equivalence. In our third example we were able to replace the 
ABP channels by one-place buffers. Without this the bisimulation would have 
been unmanageable. Furthermore — though we have not used them — there 
exist various ‘up to’ techniques that can be exploited to reduce the size of the 
relations Bl ' >■ | . ‘Up to’ techniques combine the direct approach with algebraic 
reasoning. 



Dealing with Data Structures. Although our approach does not require to master 
a proof system for bisimulation, it still requires a lot of expertise in theorem 
proving, as usually the systems to be verified manipulate data. Proving simple 
facts about the data structures of a system (list, stacks, etc.) may amount to 
more than half of the interaction with the theorem prover. At this point the 
user has to decide whether to perform the full proof, or whether to provide 
certain necessary theorems as unproved axioms. Usually the properties of the 
data stuctures are rather straightforward, and so the proof does not lose much 
credibility. 



Improving the Approach. In our case study we have modelled all transition sys- 
tems from scratch, slightly modifying the definition of observation equivalence in 
order to avoid a restriction (or hiding) operator, and projecting the labels either 
on the signals or on the use of connections. A formalization of a framework for 
further proofs would of course have to contain a restriction operator, and to im- 
plement a general definition of observation equivalence. Further there would have 
to be a transition rule lifting the user-defined axioms to the transition systems. 
We have implemented such a prototypical framework — yet still with restriction 
integrated in the definition of bisimilarity — and have transferred some simple 
proofs from Section^to it. 
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Event Structures as Presheaves 
— Two Representation Theorems 
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Abstract. The category of event structures is known to embed fully 
and faithfully in the category of presheaves over pomsets. Here a charac- 
terisation of the presheaves represented by event structures is presented. 
The proof goes via a characterisation of the presheaves represented by 
event structures when the morphisms on event structures are “strict” in 
that they preserve the partial order of causal dependency. 



1 Introduction 

Presheaves have been advanced as a model of nondeterministic processes which 
supports a notion of bisimulation and as well extends to higher order 
. At the start of this work, the paper Q showed that the 
category of (labelled) event structures embedded fully and faithfully in the cat- 
egory of presheaves over pomsets; the embedding arises canonically from the 
fact that pomsets can be regarded as event structures. The paper Q gave sev- 
eral grounds for viewing the presheaf category as consisting of generalised event 
structures. 

Clearly some presheaves were not obtained from event structures, among 
them those presheaves which were not “rooted” in the sense of not having a 
unique starting state. The empty presheaf is not rooted. It allows no computa- 
tion, not even the empty pomset. At the other extreme, the terminal presheaf, 
which assigns a singleton set to each pomset, supports all computational be- 
haviour (like the “chaos” of CSP); although rooted it cannot correspond to an 
event structure, seen most quickly by noticing that all morphisms from pom- 
sets to event structures are mono a state of affairs not reflected in the presheaf 
category for the terminal object. Other presheaves not corresponding to event 
structures could be nevertheless understood within broader classes of models 
such as certain categories of Petri nets. But the precise boundary was unclear; 
there remained the question of precisely which presheaves over pomsets arose 
from event structures. 

This paper uncovers the conditions that characterise those presheaves rep- 
resented by event structures (Theorem . The proof involves first showing 
an analogous result for a stricter class of morphisms on event structures (Theo- 
rem^ . A condition central to both theorems is one equivalent to saying that the 
presheaves should be separated with respect to a simple Grothendieck topology. 

* Basic Research in CS, Centre of the Danish National Research Foundation. 
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@ Springer-Verlag Berlin Heidelberg 1999 





542 Glynn Winskel 



2 Event Structures and Pomsets 

We will work with labelled event structures, and throughout this paper we as- 
sume a fixed set of labels L. 

A (labelled) event strueture is a structure {E,<,Con,l) consisting of a 
set E, of events which are partially ordered by <, the eausal dependency relation, 
a nonempty consistency relation Con consisting of finite subsets of events, and 
a labelling function I : E ^ L, which satisfy 

{e' I e' < e} is finite, 

{e} S Con, 

Y C X G Con Con, 

X G Con & e<e'GA^AU {e} G Con, 

for all events e, e' and their subsets X, Y . Events e,e' G E are concurrent 
(causally independent) iff (e ^ e' & e' ^ e & {e, e'} G Con). A configuration of 
if is a subset x C E which is 

— downwards-closed: Ve, e'. e' < e G a; => e' G a;, and 

— consistent: VA. X finite & A C a; => A G Con. 

An event e determines a prime configuration [e] = {ei G if | ei < e} consisting 
of all its causal predecessors and the event itself. 

We restrict attention to label-preserving morphisms on event structures over 
the common labelling set L (the fibres of Let E = (E,<,Con,l), E' = 
(if', <', Con, I') be event structures over L. A morphism from E to E' consists 
of a function / : if ^ if' on events which preserves labels {i.e. I = I' o f) such 
that if a; is a configuration of E, then its image fx is a configuration of if' and 
if for Cl, 62 G a; their images are equal, i.e. /(ei) = /(e2), then ei =62- We can 
equivalently describe a morphism of event structures from E to if' as a function 
f : E ^ E' such that 

Ve G E. [/(e)] C /[e] & 

VA G Con. [/A G Con' k (Vei, 62 G A. /(ei) = /(e2) ^ ei = 62)]. 

We say a morphism / : if — s- if' of event structures is strict iff [/(e)] = /[e]. 

It is easy to check that the function composition of two morphisms of event 
structures is a morphism so that we obtain a category. 

Definition 1. We write E for the associated category of event structures, writ- 
ing Eg for the subcategory with strict morphisms. 

In event structures a configuration, to be thought of as a computation path, 
carries more structure than simply a string of actions. A configuration inherits 
the shape of a pomset from the causal dependency and labelling of the event 
structure. Pomsets Q are partial orders of labelled events and so can be identified 
with special event structures where all finite subsets of events are consistent. 

Definition 2. Say a pomset is prime when it has a top event e with respect to 
the causal dependency relation < — so its set of events is [e] . 
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Morphisms from pomsets to event structures are 1-1 functions which send 
downwards-closed sets to downwards-closed sets. Thus a morphism from pomset 
P to pomset Q may not only extend P by extra events but also relax the causal 
dependency relation; two events causally related in P may have images no longer 
causally related in Q — of course this cannot occur for a strict morphism which 
would force P to be a pomset prefix of Q. 

We separate the forms of morphism corresponding to the different ways one 
pomset can extend another. 

Definition 3. Define Pom to be the full subcategory of event structures E with 
objects finite pomsets. Define Pomg to be the subcategory of Pom where all 
morphisms are strict morphisms. 

An epimorphism in Pom is called an augmentation (following Q, though 
note the switch of direction relative to loe. cit.). 

It is clear that all isomorphisms in Pom are augmentations (and strict) and 
that restricting to augmentation morphisms also yields a subcategory of Pom. 

Proposition 4. In Pom, any morphism f \ P ^ Q faetors uniquely to within 
isomorphism as a composition f = P Qo Q where a is an augmenta- 
tion and j is a strict morphism. 

Such augment- strict factorisations play a central role in the proof of the second 
representation theorem. 



3 Presheaf Models 

Here a presheaf over an (essentially small) category P is thought of as standing for 
a nondeterministic process whose computation paths have the shape of objects 
of P; according to this view the morphisms of P express how one path shape 
extends to another. In this paper P will be either Pom or Pomg. 

The objects (presheaves) of P consist of functors P°^ — > Set, to the category 
of sets. The morphisms of P are natural transformations between functors. A 
presheaf X : — > Set can be thought of as specifying for a typical object P 

the set X{P) of computation paths of shape P. It acts on a morphism j : P ^ Q 
in P to give a function X{j) : F{Q) F{P) saying how Q-paths restrict to P- 
paths. 

Notation: Let A be a presheaf over a category P. Let j : P ^ Q he a, morphism 
in P. As is usual, we will frequently write y ■ j for X{j)(y), the restriction of 
y G X(Q) along j : P ^ Q, a morphism in P. Note that the functoriality of X 
ensures that (y ■ k) ■ j, which we will most often write as y • fc • 7 , equals v ■ (ko j), 
when J : P J Q, k:Q^R and y G X{R). 

Definition 5. Let A be a presheaf over P. Define its category of elements els{X) 
to be the category consisting of: objects {P, x) where P is an object of P and 
X G A(P); morphisms j : (P, x) (Q, y) whenever j : P — s- Q in P and x = y- j. 
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The Yoneda embedding : P — > P expresses how to regard a path P as the 
presheaf P[— ,P], such presheaves being called representables. The category of 
presheaves P is the free colimit completion of P: for any functor F : P — > 5 
where £ has all small colimits, there is a functor Lany{F) : P — > f , unique to 
within isomorphism, such that 



Lany{F) 



commutes. In particular, as presheaf categories have all small colimits we can 
instantiate £ to a presheaf category Q. The functor Lany{F) (a left Kan exten- 
sion) can be described explicitly (see e.g. |) as that functor such that 



Lany{F){X) = colim(^p^^)^eis(x)P'{P) 



for any Y G P; its action on morphisms is determined by the universal property 
of colimits. 



Colimits in Set: Colimits of presheaves are given pointwise in terms of colimits 
in Set for which we can make use of an explicit construction of colimits (see e.g. 
□): 

Proposition 6. Let I &e a small category. Let F : I — > Set he a functor (called 
a diagram of shape I in SetJ. Then, D has a colimit in Set given explicitly as 
the cone consisting of the set C and functions ji : D(i) — > C , for i G 1, described 
as follows. The set C is the set of equivalence classes 

C=|+jF(z) /- 

iei 

where ^ is the least equivalence relation on the set 1+Jjgj D{i) for which 
if x) ~ (j, y) if D{f){x) = y , for some f :i^ j ini . 

The function : D(i) — *■ C , where i € I, takes x € D{i) to the equivalence class 

{(*,a;)}-- 

As colimits are unique to within isomorphism, we can and shall assume that 
all the colimits in Set we consider are given explicitly as in Proposition ^ 




4 The Problem 

There is a canonical functor c from the category of event structures E to the 
category of presheaves Pom. The functor c takes an event structure F of E to 
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the presheaf E[— ,if]; in detail, c{E) is the presheaf which for each path object 
P yields the set of paths E[P, E] from P into E. The functor c takes a morphism 
/ : if — !■ E' in E to the natural transformation E[— ,/] : E[— ,E] ^ E[— ,E'] 
whose component at an object P of Pom is the function E[P, E] E[P, E'] 
taking p to f o p — intuitively, a path p : P — > E in E is taken to a path 
f o p : P ^ E' in E' . 

Because the inclusion functor Pom =— > E is dense. 

Theorem 7. ^ The canonical functor c : E ^ Pom is full and faithful. 

The canonical functor Cs : Eg ^ Pomg is defined analogously, but with respect 
to strict morphisms on event structures and pomsets, and analogously: 

Theorem 8. The canonical functor from Cg : Eg ^ Pomg is full and faithful. 

The problem addressed in this paper is the characterisation of those pre- 
sheaves which correspond to event structures with respect to the canonical em- 
beddings. These amount to representation theorems; a presheaf X over Pom is 
said to be represented by an event structure E in E iff X = E[— , E]. It turns out 
that characterising the presheaves in Pom which are represented by event struc- 
tures in E involves first characterising those presheaves in Pomg represented by 
event structures in Eg, the strict case. 

5 Representation Theorem — Strict Morphisms 

This section is devoted to showing our first representation theorem: 

Theorem 9. A presheaf X G Pomg is isomorphic to Eg[— ,E] for some event 
structure E iff X is nonempty and satisfies the conditions 

(TVlono^ For all '. P Q in Pomg, where P is prime, 

Va; G X{Q). x ■ ji = x ■ j 2 ^ ji = J 2 - 

(Separated^ For all x, x' G X{Q) where Q is a pomset, 

*/ (^J : P ^ Q in Pomg with P prime, x ■ j = x' ■ j) then x = x' . 

Remark 10. The empty presheaf assigns the emptyset to each pomset, even the 
empty pomset, and so cannot be represented by any event structure which will 
always have the empty configuration. As we will see the condition “Mono” ex- 
presses that morphisms from pomsets into event structures are mono. In fact 
“Mono” is equivalent to the corresponding condition where P is not restricted 
to be prime. The condition “Separated” is equivalent to saying that the presheaf 
X is separated with respect to the Grothendieck topology (see e.g. 0) with basis 
consisting of collections {ki : Pi Q \ i G 1} oi jointly surjective morphisms. 
Note that “Separated” implies that any nonempty presheaf X is rooted in the 
sense that ^(0), the set assigned to the empty pomset 0, is a singleton; because 
there are no prime pomsets mapping into the empty pomset. 
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It is easy to show the “only if” half of the theorem. 

Lemma 11. Let E be an event strueture in Eg. Let X be the presheaf E s[— ^ E\. 
Then X is nonempty and satisfies the eonditions “Mono” and “Separated” . 

Proof. “Mono”: Let x G Es[Q,E] and ji,j 2 ■ P ^ Q morphisms in Pomg. 
For the presheaf Eg[— ,E] obtained via the horn- functor, x ■ j\ = x ■ j 2 means 
xo ji = xo j2, so ji = j2 as X is 1-1 and thus mono. 

“Separated” : Suppose x, x' G Es[Q, E] have the property that x ■ j = x' ■ j for all 
j : P — > Q ia Pomg, from a prime pomset P. But this implies x o j = x' o j for 
all inclusions j : [e] ^ Q where e is an event of Q. Hence, x and x' agree on all 
events of Q and so are equal. □ 

To show the converse, “if” direction, of Theorem Hwe construct an event struc- 
ture from a nonempty presheaf satisfying the “Mono” and “Separated” condi- 
tions. We do this by forming a colimit in Eg. Not all colimits exist in Eg. However 
if a nonempty presheaf X satisfies the “Mono” condition we can construct a col- 
imit as follows. 

Lemma 12. Let X be a nonempty presheaf over Pomg which satisfies the 
“Mono” condition. Then the colimit colinnQ^x)^eis(x)Q exists in Eg. Its events 
E can be taken to be the colimit in Set 

1+J Q / ~ 

(Q,x)^els{X) 

where ~ is the least equivalence relation such that 

((Q, x),q) ~ ((Q^ x'), q') z/ : Q — > Q' in Pomg. x = x' .k & k{q) = q' , 

when the components of the colimiting cone in Eg, at (Q,x) G els{X), are given 
by maps 

lQ,x :Q^E with q i-^ {(Q, x),q)}r.., . 

The causal dependency and consistency relations on E satisfy: 

— e < e' iff there are q < q' in Q for some pomset Q and x G X{Q) such that 
IqAq) = e and Jq,xW) = e', 

— C G Con iff there is S C Q for some pomset Q and x G X{Q) such that 
C = iQ.xS. 

Proof. Write ((Q, a^), g) ~i ((Q', x'),q') iff : Q Q' ■ x = x' ■ k k, k{q) = q' . 
By definition, the relation ~ is the symmetric transitive closure of ~i. 

Suppose that {{Q,x),q) {{Q' ,x’),q') and that i : [q] Q and i' : [q'\ 

Q' are the associated inclusion morphisms in Pomg. Then “restricting” along i 
and i' we obtain 

((Q,a;),g) {{Q' ,x'),q') 

(([ 9 ],a;- z),g) {{[q'],x' ■ i'),q') . 
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Recalling that morphisms are strict we see that for x G X{Q), x' G X(Q'), 

(([g],a;- i),g) {{[q'],x' ■ i'),q') iff : [g] ^ [g']. x ■ i = x' ■ i' ■ k . 

Thus a ~i-chain establishing {{Q,x),q) ~ {{Q' ,x'),q') restricts to a ~i-chain 
involving only prime pomsets. Noting that the ~i relation is already symmetric 
and transitive when only prime pomsets are involved, we obtain 

{{Q,x),q) ~ {{Q',x'),q') iff (([g], a; • i), g) {{[q'],x' ■ i'),q') 

iff 3k : [g] = [g'] . x ■ i = x' ■ i' ■ k 

where i : [g] ^ Q i' : [g'] ^ Q' are the inclusion morphisms. 

It follows that each : Q ^ E \s 1-1. Suppose q,q' G Q and {{Q, x),q) ~ 
((<5, a;), q'). Then we obtain 

k : [q] = [q] Ez x ■ i = x ■ i' ■ k 

where i ■. \q\ ^ Q and i' : [g'] ^ Q' . But X is assumed to satisfy the “Mono” 
condition. Hence i = i' ok so that g = i{q) = i' o k{q) = i'{q') = g^ making ')q^x 
a 1-1 function. 

As respects causal predecessors [— ], defining the causal dependency and 
consistency relations as above yields an event structure and ensures that each 
7 Q_a; is a morphism in Eg. Together where {Q, x) G els{X), form a cone in 
Eg, which is colimiting because it is so in Set. □ 

Prime pomsets distribute through the colimits of Lemma^3 

Lemma 13. Let X he a nonempty presheaf over Pomg satisfying the “Mono” 
eondition. Let P be a prime pomset. The eanonical map from the colimiting eone, 

(pp ! Colim(^Qx)£els{X)^s[P:Q] ^ Lg [P, Co/t77T,fg a)ee/s(X)Q] ; 



acting so 



ipp : {{{Q,x),j)}^ ^ iQ.xOj , 



is an isomorphism, where yg,a: where (Q,x) G els{X), is the colimiting cone to 

Colim^Q x)^els{X)Q ■ 



Proof. Write E for the event structure obtained as the colimit colim(^Q^x)&eis(x) Q 
in Lemma^J We first check that pp is well-defined. In the explicit presentation 
of the colimit C = co^zm(g^a)Ge/s(x)Eg [P, Q] in Set the equivalence relation ~ 
is generated by ~i where 



{{Q,x),j) {{Q' ,x'), f) iti3k-. Q ^ Q' in Pomg. x = x' ■ k b, ko j = f. 



Thus, if {{Q,x),j) ~i HQ' then there is k : (Q,x) {Q',x') in els(X). 

So, as P, y is a cone, we directly obtain yg_a = ygya;' ° k. Thus 

Tp{{{Q,x),j)) = yg,a: O j = yg/,a:' okoj = yg/_a,/ O f = ipp{{{Q' , x') , j')) . 
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Hence ipp is well-defined as a function. We require in addition that p)p is 1-1 
and onto. 

“onto”: Suppose / : P — > if in Eg. As a prime pomset, P is [p] for some event 
p. The image /(p), in E, is an equivalence class {((Q, 2^), 9)}~, choosing any 
representative {{Q,x),q), where {Q,x) G els{X) and q G Q. Because morphisms 
are strict [p] = [9], so / must factor through for some j : P ^ Q in Pomg: 




Q 

But now Pp({((Q, 2;), j)}~) = lQ,xOj = /• 

“1-P’: Again, as P is prime it has the form [p] for some p G P. First note that any 
equivalence class c G colim(^Q^x)&eis{x)^s[P^ Q] has a representative of the form 
(([9], a;), j), j) where j : [p] = [9]. To see this note that for any representative 

where q = l{p) and I factors as [p] = [g] ^ Q. 

Thus assuming that pp{c) = pp(c') for c, c' G colim(^Q^x)&eis(x)P‘8[P,Q]-i 
there are representatives (([g], a;), j) and (([g'], a;'),/) where j : [p] = [9] and 
f : [p] = g'] for which 

l[q],x O 3 = l[q'],x' O j' ■ (1) 

Consequently, J[q],x{q) = l[q'],x'W), from which we obtain ((([g], a;), g) ~ 
(([g'], a;'), g') in E. But now (just as in the proof of Lemma^3 we derive the 
existence of an isomorphism k such that 

k : [q] = [(/'] Sz X = x' ■ k . (2) 

As k : ([g], x) = ([g'J, x') is a morphism in els{X) and if, 7 is a cone, we see that 

"t[q],x — "t[q'],x' O k . 

Hence, by (1), 

l[q'],x' O 3 ' = l[q],x oj= 7[,q,x' °koj, 

ensuring / = koj from the injectivity of 7(5'], x'- With (2), this yields (([g], a;), j) 
~i (([g'J, a;'),/) in C, making c = c' . Hence <pp is 1-1. □ 

It is well-known that a presheaf is the colimit of its represent ables and that 
colimits in categories of presheaves are obtained pointwise [^. With our explicit 
treatment of colimits in Set we obtain an explicit isomorphism: 

Lemma 14. Let X be a presheaf over Pomg . Let P G Pomg . Then 

tfp : X{P) ^ co/im(Q,x)eeJs(x)Pomg[P, Q] , 

where ifp{z) = {{{P,z), Ip)}.... 
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Now we can prove the “if” half of the first representation theorem: 

Lemma 15. Suppose X, a nonempty presheaf over Ponis, satisfies the “Mono” 
and “Separated” conditions. Let E be the event structure obtained as the colimit 
colim(^Qx)eeis{x)Q inEs (cf. Lemma^^. Then, there is a natural isomorphism 

0:X^-Es[-,E] 

which has components 9 q : X{Q) Es[Q,i?], at pomset Q, given by 

= lQ,x 

for X G X{Q). [We adopt the notation of Lemma^^where 7q,x ■ Q ^ E is the 
component of the colimiting cone at (Q,x) G els{X).[ 

Proof. We first check that 0 is a natural transformation. Suppose j : Q -i- Q' in 
Poms ■ We require the following naturality square to commute: 



X{Q)^^-Es[Q,E] 



x(j) 

X{Q') 



-oj 

^Es[Q\E] . 



I.e., letting x' G X{Q'), we require jQ,x'-j = (7Q',x') ° j- But this is a direct 
consequence of E, 7 forming a cone. 

For 0 to be a natural isomorphism we need that each 0 q, at a pomset Q, is 
1-1 and onto: 

“onto”: Supposing f : Q ^ E the image of Q must be consistent in E. Hence, 
by the way the consistency relation is defined on E in Lemma the map / 
must factor as 



Q^—^E 




Qo 

for some (Qo, xq) G els{X). Take x = XQ-j G X{Q). Then, / = 7Qo,xo°j = 7Q,x 
because E ,7 is a cone and (Q,x) {Qq,xo) in els{X). Hence 9q{x) = f. 
“1-1”: Suppose 9q{x) = 9q{x') for x,x' G X{Q). Then, for any j : P ^ Q 
with P prime, 6p{x ■ j) = Op{x' ■ j) by naturality. Thus because X is “Sepa- 
rated”, it is sufficient to show that 9p is 1-1 for each prime pomset P. However, 
each component 0 p, when P is a prime pomset, arises as the composition of 
isomorphisms 

'pp 

X{P) ^ co;zm(Q_ 2 ;)ge/s(x)Poms[P, Q] c/. LemmaQ 

= co/zTO(Q, 2 ;)ge/s(x)Es[P, Q] as Poms Es is full, 

= Es [P, E] cf. Lemma^J 



□ 
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As a corollary of Lemmas^Jand^Jwe obtain the first representation theorem 
(Theorem^ whose statement heads this section. 

6 Representation Theorem — Nonstrict Morphisms 

Our aim now is to characterise those presheaves over Pom represented by event 
structures in E. 

Notation: We make heavy use of the augment-strict factorisation of Proposi- 
tion J and it is helpful to adopt the convention that arrows -» stand for aug- 
mentations while stand for strict morphisms. 

The statement of the second representation theorem involves a “confluence” 
condition on the category of elements of a presheaf. 



Confluence Conditions: We will be interested in presheaves Y € Pom for 
which the category of elements els(Y) satisfies the confluence condition: 

Letting a : P ^ Q and f : P ^ R, in els{Y), 

if {R, z) then {R, z) — {S, w) commutes, 

/ f f 

{P, x) (Q, y) (P, x) {Q, y) 

for some (S', w) in els{Y) with a' : R^ S and f : Q ^ S. 

We can summarise the confluence condition in the diagram: 



/ 



a 

— ~~ • 

A 

I /' 



a 



Remark 16. By specialising / in the confluence condition to an augmentation 
we obtain a condition which we likewise summarise as the confluence diagram: 



/ 



a' 

— ■ 



k 

I /' 



a 



Note that in this case the morphism f will also be an augmentation just because 
it is a second factor of an epimorphism. 



The remainder of the paper is devoted to showing the second representation 
theorem: 
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Theorem 17. A presheaf Y G Pom is isomorphic to E[— ,ii^] for some event 
structure E iff Y is nonempty and satisfies the conditions 
(TVIono^ For all ji, j 2 '■ P ^ Q in Pom, where P is prime, 



Vy G Y{Q). y = y j 2 ^ ji = j 2 - 

(Separated j For all y, y' G Y(Q) where Q is a pomset, 

if '■ P ^ Q in Pom, with P prime, y ■ j = y' ■ j) then y = y' . 

("Confluent^ The confluence condition above holds ofels(Y). 

The proof of Theorem uses the first representation theorem (Theorem Q 
characterising which presheaves in Pomg are represented by event structures E 
in Eg. The proof has three main parts Sections^3^3and^3 

In Section extension of the_ o(bvious inclusion functor Pomg ^ Pom 

to a colimit-preserving functor L : Pomg — > Pom is characterised (Lemma^J . 

The next stage, presented in SectiorJ^ is to relate the two canonical em- 
beddings Cs : Eg — > Pomg and c : E — > Pom in the diagram 

Egf ^E 

Cs C 

Pomg ^ Pom 

which is shown to commute up to isomorphism (Lemma^J . It follows that the 
presheaves in Pom represented by event structures in E are, to within isomor- 
phism, the images under L of those presheaves in Pomg represented by event 
structures in Eg. 

Finally, in Section^3 it is shown that, to within isomorphism, the images 
in Pom under L of presheaves in Pomg are those which satisfy the “Conflu- 
ent” condition, and that the “Mono” and “Separated” conditions transfer via 
L to the corresponding conditions in Pom (Lemma This yields the second 
representation theorem (Theorem 



6.1 The Functor L 



To within isomorphism, there is a colimit-preserving function L : Pomg — > Pom 
such that 



Pom,C 

Pom, 



Pom 

y 

Pom 



commutes to within isomorphism. The functor L may be obtained as the left- 
Kan extension, so Lany^{y o I){X) = colim(p^x)^eis(x)y{P) for X G Pomg. 
By exploiting the augment-strict factorisation (Proposition ^ we give a more 
workable characterisation. 



552 Glynn Winskel 



Lemma 18. Let X G Pomg, Q € Pom. Define 

L{X){Q) = {{{P, X, a)}^ I X G X{P) ka-.Q^P)} 

where (P,x,a) ~ {P',x',a') iff 3k : P = P. x = x'-kkkoa = a'. For 
f '■ Q ^ Q' , define L{X){f) : L{X){Q') — > (LX){Q) to aet so 

{{P\ x', a')}~ 1-^ {{P, x' ■ i, a)}~ 

where i : P ^ P' and a : Q ^ P are an augment- strict factorisation ioa = a'of: 



Q'^U-p' 
f i 

Q-^^P 

Then, L(X) is a presheaf over Pom such that L(X) = Lany^{y o I){X). 

Proof. As colimits of presheaves are obtained pointwise, from the explicit de- 
scription of colimits in Set, Proposition H we see 

LanyfiyoI){X){Q) = colim(^P^,^)(zeis(x)'Poms[Q,P]= |jj Pom[Q,P]/~ 

(P,x)Gels(X) 



where ~ is the least equivalence relation such that 

((P, x)J)^ ((P', x'), n iS3k : P ^ P'. X = x' ■ k k k o f = f . 
It follows that for each ((P', a;'), /') G l±J(p,a;)Ge/s(x) Pom[Q, P] 

{{P,x' ■ i),a) - ((P',x'),f) 
where an augment-strict factorisation of / is: 



P' 



Q^P 

The isomorphism L{X){Q) = Lanyfiy o I){X){Q) is a direct consequence. 

Via the isomorphism we obtain a colimiting cone with vertex L{X)(Q); it 
has components 'jp^x ■ Poms[Q,P] — > L{X){Q) for (P,x) G els{X) given by 
lP,x{g) = {{Pq^x ■ io,oo)}~ where g has augment-strict factorisation: 

P 

io 

Q — ^ P 

^ ao 
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We require that the isomorphism is natural in Q- To show this it is sufficient 
to verify that with respect to f : Q ^ Q' in Pom the map L{X){f) is the 
(necessarily unique) mediating map from the colimiting cone to 

the cone L{X){Q),^ o f, i.e. for all (P,x) G els{X), 

L{X){f) = 7 p , 3 ; o / . 

The verification relies on augment-strict factorisation being unique to within 
isomorphism. □ 

Remark 19. Let X be a presheaf over Pom^. In the special case when / is an 
augmentation ao : Q ^ Q' , L{X){ao) ■ {{P' , x' , a')}~ {{P' , x', a' o ao)}~ . 



6.2 Relating Non-strict and Strict 

The next lemma relates the two canonical embeddings : Eg — > Pom^ and 
c : E Pom. 

Lemma 20. Let E be an event structure in Eg. Then, L o Cg(E) = c{E). 

Proof. We require that L(Eg[— , E]) = E[— , E]. From the definition of L, 
L(Eg[-, E]){Q) = {{(P, a)}^ \ x : P ^ E k a : Q ^ P} 

where {P, x, a) ~ {P' , x' , a') iS 3k : P = P' . k o a = a' k x = x' ■ k. Thus 
elements of L(Eg , E])(Q) are in 1-1 correspondence with factorisations (to 
within isomorphism) of morphisms in E[Q, E]. As such factorisations are unique, 
we obtain the isomorphism 

oe '. L(Eg [— , E]){Q) = E[Q, E] where {{P, x, a)}~ a; o a . 

To check that the isomorphism aq is natural in Q, we require for f '. Q ^ Q' 
that the naturality square 



{{(P, X, a)}^ \ x-.P^Eka-.Q^P} ^ E[Q, E] 



L(E4-,E]){f) I 

{{(P', P, a')}^ \x' : P' ^ E ka' :Q' 



I -of 

P'}^^E[Q',E] 



commutes. However, by definition 

P(Eg[-, P])(/)({(P', a;', a')}.) = {(P, o a)}^ 

where a : Q —» P and i : P ^ P' provide an augment-strict factorisation of 
a' o f : 



Q' P' 



■E 



Q- 



■P 



Clearly, ofQ({(P, x' o i, a)}~) = x'oioa = x'oa'of = q;q({P', x' , a'}~) o /, so 
the naturality square commutes, as required. □ 
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6.3 Transfer of Conditions via L 

We characterise, to within isomorphism, those presheaves which are images un- 
der L : Poms — *■ Pom as those which are “Confluent” and see how the key 
conditions of the first representation theorem transfer across L. 

Lemma 21. (i) Let Y G Pom. Then Y satisfies the “Confluent” condition iff 
Y = L{X) for some X G Pom^. 

(ii) Let X G Pom^. Then, X satisfies the “Mono” and “Separated” conditions 
iff L{X) satisfies the “Mono” and “Separated” conditions 

Proof, (i) “if”: Suppose that in els{L{X)) 

f ■■ (Q, q) {R, r) and b : (Q, q) (Q', q') 

where q G L{X){Q), r G L{X){R) and q' G L{X){Q') and f : Q ^ R and 
b : Q ^ Q' in Pom. Assume / factorises as 

ai i 

f = Q^ Pi 

Then, from the definition of L{X), 

r = {(P, X, a)}~, q' = {{R , x\ a')}~ and r = {(Pi, x-z, ai)}~ = |(P', x' , a'o6)}~ 

for some a : R ^ P with x G X{P), and a! \ Q' ^ P' with x' G X(P'). 

Because {Pi,x ■ i,ai) ~ {P',x',a' o b) there is an isomorphism j : Pi = P' 
making (Pi, x ■ i, Ipi) - (P', x' , Ip'). Summarising all the facts in a diagram in 
els{L{X)) we obtain the two commuting squares 



{P,x) 







where x = |(P, x, lp)}~, x' = |(P', x' , lp')}~ and x ■ i = {{Pi,x ■ i, lpi)}~. In 
particular, noting the isomorphism j : (Pi, a; • z) = (P', x'), we see the “Conflu- 
ent” condition is satisfied in els{L{X)). 

“only if”: To show the converse, we show how given Y G Pom which is “Conflu- 
ent” there is a presheaf ext{Y) G Pom^ such that L{ext{Y)) = Y. The presheaf 
ext{Y) consists of just the extreme elements of Y , those elements of Y which 
are not restrictions of elements with respect to any augmentations other than 
isomorphisms: 
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— ext{Y){P) = {y £ Y{P) \ '^a : P ^ Q,y' £ Y{Q)). y = y' ■ a ^ a is iso.} 
for pomsets P. 

— ext{Y){j) is the restriction of Y{j), for morphisms j : P ^ P' in Ponis; 
that ext(Y){j) is well-defined, i.e. that if y' £ ext{Y){P'), then Y{j){y') £ 
ext{Y){P), follows directly from Y being “Confluent” and the uniqueness 
up to isomorphism of factorisation. 

It is now clear that ext{Y) £ Poms. We require that L{ext{Y)) = Y. By 
definition L{ext{Y){Q) = {{(P, y, a}~ | y £ ext{Y){P) k a : Q -» P}. Defining 
5({P, y, a)}~) = y ■ a yields a function 6 : L{ext{Y)){Q) Y{Q) which is seen 
to be well-defined directly from the definition of ~. 

S is 1-1: Suppose (5({(P, F, a)}~) = (5({(P', y', a')}~). Then yo =def ya = y' -a'. 
As Y is assumed “Confluent” we obtain a commuting diagram 



(P,y) 







in els{Y). However (P, y) and {P',y') are extreme elements of Y. Hence b and 
b' are isomorphisms making (P, y, a) ~ (P' , y' , a'). 

5 is onto: Suppose y £ Y{Q). Because pomsets in Pom are finite, any chain 

(Q,y)^(Q,y)^ »{Qn,yn) ■■■ 

is els{Y) must eventually only involve isomorphisms, i.e. for some n for all 
m > n, each augmentation Om is an isomorphism. Taking a = a„_i o • • • o oi 
there is an extreme element y„ for which S{{{Qn, a, yn)}~) = yn ■ a = y. 

It follows that, to within isomorphism, the images of L are precisely those 
presheaves Y of Pom which are “Confluent” . 

(ii) We now show that the “Mono” and “Separated” conditions transfer via L. 
We first observe that for X £ Pomg, 

ext(L(X)) ^ X 

because extreme elements of L(X), of the form {{P,x, lp)}~, are in 1-1 corre- 
spondence with X £ X{P). 

“if ”: Assuming L{X) is “Mono” and “Separated”, the “Mono” and “Separated” 
conditions can be also seen to hold in the restriction ext{L{X)), which is iso- 
morphic to X. 

“only if”: Assuming X is “Mono” and “Separated” entails that X = Eg[— ,P] 
for some event structure E. By Lemma^J A(X) = E[— ,P]. Now, just as in 
the proof of Lemma^J E[— ,P] and so L{X) satisfies “Mono” (because mor- 
phism from pomsets to event structure in E are mono) and “Separated” (because 
morphisms are determined by their actions on events.) □ 



556 Glynn Winskel 



We now obtain, as a corollary: 

Proof of Theorem By Lemma^J a nonempty presheaf Y € Pom is repre- 
sented by some event structure in E iff T ^ L{X) for some nonempty X G Pomg 
which is “Mono” and “Separated” . But Lemma^Jsays that the latter properties 
hold of X iff y = L{X) is “Mono”, “Separated” and “Confluent”. □ 
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Subtyping and Locality in Distributed Higher Order Processes^ 

(Extended Abstract) 

Nobuko Yoshida and Matthew Hennessy 
COGS, University of Sussex 

Abstract. This paper studies one important aspect of distributed systems, locality, using a calculus of 
distributed higher-order processes in which not only basic values or channels, but also parameterised 
processes are transferred across distinct locations. An integration of the subtyping of A.-calculus and 
lO-subtyping of the 7i-calculus offers a tractable tool to control the locality of channel names in the 
presence of distributed higher order processes. Using a local restriction on channel capabilities together 
with a subtyping relation, locality is preserved during reductions even if we allow new receptors to be 
dynamically created by instantiation of arbitrary higher-order values and processes. We also show that 
our method is applicable to more general constraints, based on local and global channel capabilities. 



1 Introduction 

There have been a number of attempts at adapting traditional process calculi, such as CCS 
and CSP, so as to provide support for the modelling of certain aspects of distributed sys- 
tems, such as distribution of resources and locality, [3, 10, 20, 25, 30]. Most of these are 
based on first-order extensions of the 7t-calculus [21]; first-order in the sense that the data 
exchanged between processes are from simple datatypes, such as basic values or channel 
names. There are various proposals for implementing the transmission of higher-order 
data using these first-order languages, mostly based on [27]. However these translations, 
as we will explain in Section 6, do not preserve the distribution and locality of the source 
language. Consequently we believe that higher-order extensions of the 7t-calculus should 
be developed in their own right, as formal modelling languages for distributed systems. 

In this paper we design such a language and examine one important aspect of dis- 
tributed systems, namely locality. The language is a simple integration of the call-by- 
value X-calculus and the 7t-calculus [21], together with primitives for distribution and 
spawning of new code at remote sites. The combination of dynamic channel creation 
inherited from 7t-calculus and transmission of higher-order programs inherited from X- 
calculus offers us direct descriptions of various distributed computational structures. As 
such, it has much in common with the core version of Facile [2, 9, 19], CML [8] and 
LLinda [22], and can be regarded as an extension of Blue-calculus [5] to a higher-order 
term passing. 

A desirable feature of some distributed systems is that every channel name is asso- 
ciated with a unique receptor, which is called receptiveness in [28]; another property 
called locality where new receptors are not created by received channels, has also been 
studied in [3, 4, 20, 34] for an asynchronous version of the 7t-cal cuius [16]. The combi- 
nation of these constraints provides a model of a realistic distributed environment, which 

' Supported by EPSRC GR/K60701 and CONFER II. E-mail:{nobuko ,matthewh}acogs . susx. ac .uk. 

Jos C.M.Baeten, Sjouke Mauw (Eds.): CONCUR'99, LNCS1664, pp. 557-572, 1999. 
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Term: P,Q,...::= 

Value: V,W,...::= 

Identifier: m,v, ...::= 
Literal: 



V \ PQ \ 

ul{x:x).P I u\{V)P I {va:a)P | | P|e | 0 

M I X{x:x).P 
I \ a \ X 

true I false | () | 0 | 1 | ... 

Figure 1 . Syntax of nX 



regards a receptor as an object or a thread existing in a unique name space. A generalisa- 
tion is also proposed in Distributed Join-calculus where not only single receptor but also 
several receptors with the same input channel are allowed to exist in the same location 
[10]; in this paper we call this more general condition locality of channels. In distributed 
object-oriented systems, objects with a given id reside in a specific location even if mul- 
tiple objects with the same id are permitted to exist for efficiency reasons, as found in, 
e.g. Concurrent Aggregates [7]; This locality constraint should be obeyed even in the 
presence of parameterised object passing, which is recently often found in practice [11]. 

In this paper we show that, in a distributed higher-order process language, locality 
of channels can be enforced by a typing system with subtyping. The essential idea is to 
control the input capability of channels, guaranteeing at any one time this capability re- 
sides at exactly one location. As discussed in Section 3, ensuring locality in higher order 
processes is much more difficult than in systems which only allows name passing. How- 
ever, using our typing system we only have to static type-check each local configuration 
to guarantee the required global invariance, namely locality of channels. 

The main technical novelty of our work is an extension of the input/output type sys- 
tem of [14, 24] to a higher-order setting where the order theoretic property of sub typing 
relation, finite-bounded completeness, plays a pivotal role for a natural integration with 
arrow types. The framework will be generally applicable for other purposes where similar 
global constraints should be guaranteed using static local type checking. 

The paper is organised as follows: Section 2 studies a call-by-value higher-order n- 
calculus, nX, with subtyping. Section 3 introduces a distributed version of nX, called DttX, 
and illustrates the difficulty of enforcing locality in DtiX. Section 4 proposes a new typing 
system to ensure the locality. Section 5 discusses applications of our type discipline; 
extendibility of our system to more general global/local channel constraints studied in 
[30] in a higher-order setting, a multiple higher-order replication theorem extending [24], 
and the type checking. Section 6 concludes with discussions and related work. Due to 
space limitation, we leave the detailed explanations and proofs to the full version [35]. 

2 A Higher-Order 7i-Calculus with lO-Suhtyping 

Syntax The syntax of nX is given in Figure 1. It uses an infinite set of names or 
channels N, ranged over by a,b , ..., and an infinite set of variables V, x,y, .... We often 
use Z,T, ... for variables over higher order terms explicitly. The syntax is a mixture of 
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Reduction Rules: 



(par) 



(P) (X(x:x).P)y — >P{V/x\ (app,) 

(com) ul{x:l).P\u\{V)Q — >P{V/x\\Q (app^) 

P ^ P' fj-es) P ^ P' fstr) 

P\Q — ^P'\Q ^ {va:a)P — >{va:a)P' ^ ’ 



P — >P' 

PV — >P'V 
Q — >Q' 
PQ~^PQ' 

P = P' ^Q' = Q 
P^Q 



Structure Equivalence: 

. P=e if P=aQ. 

• P\Q=Q\P {P\Q)\R= P\{Q\R) P\0 = P *P = P|*P 

• (va)0 = 0 {va){yb)P = {yb){ya)P {ya)P\Q= {va){P\Q) ifa^fn(Q) 



Figure!. Reduction for tiA. 



a call-by-value X-calculus and the 7t-calculus. From the former there are values, consist- 
ing of basic values and abstractions, together with application. From the latter we have 
input and output on communication channels, dynamic channel creation, iteration and 
the empty process. We use the standard notational conventions; for example ignoring 
trailing occurrences of 0 and omitting type annotations unless they are relevant. We use 
fn(P)/fv(P) to denote the sets of free names/variables respectively, and typically write 
X() .P for a thunk of P, X{x : unit) .P assuming x ^ fv(P) . 

Reduction The reduction semantics of nX is given in Figure 2. The main reduction 
rules are p-reduction, (p), and communication, (com). The final contextual rule, (str), 
uses a structural rules from the 7t-calculus. We use — »-!■ to denote multi-step reductions. 

Example 2.1. (sq-server) Suppose that in the language we have a literal sq for squaring 
natural numbers. For a given name a let sq(a) represent the expression *al{y, z). z!(sq(y)), 
which we write as 

sq(fl)^ *a?(3;,2).2!(sq(y)) 

This receives a value on y to be processed together with a return channel z to which the 
processed data is to be sent. It then processes the squaring data and then returns it along 
the return channel. 

A sq-server, sqServ, is a process which on requests sends to the client the code for 
squaring values, which the client can initialise locally. 

sqServ<:= *req?(r). r!(X(x). sq(x)) 

Here the process receives a request on the channel req, in the form of a return channel 
r, to which the abstraction X(x). sq(x) is sent. A client can now download this code and 
initialise it by a local channel a which will act as the request channel for data processing: 

Client (vr) req!(r). rl{X). {va){Xa | a!(l,ci) | a!(2,C2) | a!(3,C3) | • • •) □ 
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Type: 






Term Type: p 


’.= proc 1 X 




Value Type: x 


:= unit 1 bool | nat | X ^ p | O 




Channel Type: o 


:= {Si, So) withSi^So, Si 7 ^ _L and 


Sot^T. 


Sort Type: S 


:= T 1 T 1 (X) 






Abbreviations: 


Ordering: 

(base) proc < proc, nat < nat, S < S, etc. 

(_L,T) _L<5 S<T 


(input only) 

(x)^"='((x),T) 
(output only) 


(vec) V/. X,- < X 


;■ (^)<(xo 


(x)°*^'(T,(x)) 


(^) T > x', p 

(chan) o,- = {Sn 


< p' =k X ^ p < x' ^ p' 

Sio)j Sii < S 21 , Sio > S 20 ^ < O 2 . 


(input/output) 

(x)“"='((x),(x)) 




Figure 3. Types for tiA. 





IO-Types We use as types for nX a simplification of the input/output capabilities of 
[14] (in turn a strict generalisation of [24]*). They are defined in Figure 3, where we 
assume a given set of base types, such as nat and bool, and a type for processes, proc. 
Value types may then be constructed from these types using the constructor as in the 
X-calculus. Flere in addition we may also use channel types, ranged over by a. These 
take the form {Si, So), a pair consisting of an input sort Si and an output sort So’, these 
input/output sorts are in turn either a vector of value types or T, denoting the highest 
capability, or _L, denoting the lowest. The representation of lO-types as a tuple [14, 15] 
makes the definition of the subtyping relationship, also given in Figure 3, more natural 
when we integrate with arrow types of the X-calculus; the ordering of input types is co- 
variant, whereas that of output types is contravariant. The condition on channel types, 
is necessary to ensure that a receiver always takes fewer capabilities than speci- 
fied by the outside environment, while a sender always send more capabilities than spec- 
ified. Then lO-types in [24] are represented as a special case of our lO-types; to denote 
them, we introduce the abbreviations in Figure 3. Note that and 

(t)“ < (f)°< (T,_L).2 

The subtyping relation over types dehned in Figure 3 is partial order md finite bounded 
complete, FBC, (cf. [14]). The partial meet operator □ and partial join operator U can be 
also defined directly following [14]. For the base and arrow types, we dehne n/U as the 
standard meet/join operators w.r.t. <. For channel types, we use the following dehnition: 

(vec) (t) U (f) (x") with x" = x,- U x- and (x) n (x') (x") with x" = x,- n xj 

* Our general form of lO-types gives more typable terms than [24] even if we restrict our language to the pure 
polyadic 7i-calculus. See Example 2.5 in [35]. 

^Note also (T,_L) T because the former is a type for a channel which is only used as a value (i.e. empty 
capability), while the latter is the top of sort types. The side coditions iSi _L and 5q T ensure to avoid 
mismatching arity constraints. 
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Common Typing 1 



Functional Typing Rules: 

Const: 

r h 1 : nat etc. 



Id: r, 



— rhP:p' 



Abs: 

r,x:Tl- P : p 

r h X{x:x).P : T p 



App: 



Process Typing Rules: 

, _ ri-M:(T)^ r,x:x h P : proc 

r h m?(x:t).P : proc 

ri-M:(t)° ri- V^ :T,- ThP :proc 
r h u\{V)P : proc 



„ r,g:ol-P:proc 
rh (va:o)P: pro 



pp: 

rhP:T-^p rh Q:x 
l’hPe:p 



Nil: F h 0 : proc 

rep: rhP.proc 

1 h : proc 

r h P : proc T\- Q : proc 



p* p . - ■ - ’ 1 - ■ 3:^ • 

T\- P\Q: proc 

Figure 4. Typing System for nX 



(chan) (5i, 5o) U (5^, = (5i U 5^, 5o □ ^o) and 

{Si,So) n (Si, = (Si n Si, So U S'o) if Si > S'o and Si > So; else undefined. 

For sort types (but not value, term or channel types) we can ensure that both □ and U are 
total; in all cases of Shi S' (respectively SU S') not covered by the above clasues, then we 
set S n S' = _L (respectively S U S' = T). 

The 10 Typing System Type environments, ranged over by F,A, ..., are functions 
from a hnite subset of N U V to the set of value types. We use the following notation: 

(1) dom(r) denotes {m I m:t G r} and F/A denotes {m : x G F | m ^ A}. 

(2) F, M : X means FU {m : x}, together with the assumption u ^ dom(r). 

(3) A < r means A(m) < F(m) for all u G dom(r). 

Then we define the partial meet operator □ and the partial join operator U as: 

Fn A F/dom(A) U A/dom(F) U {« : (A(m) □ F(m)) | m G dom(F) n dom(A)} and 
FU A {m : (A(m) U F(m)) | m G dom(F) n dom(A)} 

Typing Assignments are formulas P : p for any term P and any type p. We write F h P : p 
if the formula P : p is provable from a typing function F using the Typing System given 
in Figure 4. This is divided in two parts. The first is inherited from the X-calculus, while 
the second is a simple adaptation of the lO-typing system from [14, 24]. 

Example 2.2. (typed sq server) We now revisit Example 2.1. In the definition of sq(a) 
a pair of values are input, a natural number and a channel respectively, and this channel 
will be used to transmit a natural number. So we type it as: 

sq(g)<;= *a?(y: int,z: (int)°). z!(sq(y)) 
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Syntax: 

System: ::= P \ N\\M \ {va:a)N 

Term: P,Q,- ■■= Spawn(P) | ••• from Figure 1 

Value: as in Figure 1 

Distributed Reduction Rules: 

(spawn) (• • - Ql Spawn(P)) — > {■■■Q)\\P 

(com,) (M?(x:f).P| . . .) II («!(y)G| • • {P{V /x} | • • •) || (G | • • •) 



(par,) 



M_ 

Mil V- 



•M' 

•M'll V 



(res,) 



N — >N' ^ N = N' — >M' = M 

{va:o)N — > {va:o)N' ^ ^ M 



Figure 5. Syntax and Distributed Reduction in Dtlk 



where the process only receives the output capability on the return channel z, which is 
guaranteed by the assigned type (int)° to z- Then we have F h sq(a) : proc for any 
typing function F such that F(a) < (int, (int)°)^. Now by Abs in Figure 4, we have: 

f- X(x: (int, (int)°)^).sq(x) : (int, (int)°)^ proc 

which means that should x be instantiated by a channel whose capability is dominated by 
(int, (int)°)^, then it becomes a safe process. □ 

This simple typing system satisfies the following standard subject reduction theorem. 

Theorem 2.3. (Subject Reduction) ffFI-P:pandP — ^ P', then F F P' : p. 

3 Locality of Channels in Distributed Higher Order ti- C alculus 

Distributed Higher Order tt-CALCULUS The extended syntax for distributed pro- 
cesses is given by in Figure 5. Intuitively V || M represents two systems N, M running 
at two physically distinct locations, while the process Spawn(P) creates a new location at 
which the process P is launched. The reduction semantics of the previous section is ex- 
tended to the new language, DttX, in a straightforward manner, outlined in Figure 5. The 
structural equivalence of systems is defined by changing “ | ” to “ || ” and P, G, R to M, A, N' 
in Figure 2. The first two rules are the most important, namely spawning of a process at a 
new location (spawn) and communication between physically distinct locations, (com,). 

Defining Locality We require that every input channel name is associated with a 
unique location. This is violated in, for example, 

al{y).P II {al{z).Q\bl{xi).Ri\bl{x2).R2) 

because the name a can receive input at two distinct locations. Note however that the name 
b is located uniquely, although at that location a call can be serviced in two different ways. 
A formal definition of this concept (or rather its complement), locality error, is given in 
Figure 6, using a predicate on systems, N Intuitively this should be read as saying: 
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Input Predicate: 

al{x). P i 



Pja^ 

{P\Q)la^ 



{P\Q)la^ 



M ja^ N ja^ 

{N\\M)ia^ {N\\M)la^ 



Locality Error: 



Nja^ Mja^ 
{N\\M)^ 



N 



lerr 



{N\\M) 



lerr 



Pja^ a^b _PJV 

{vb)Pia^ *P[a^ 

N ja^ c 
(v c)N ia^ 



N 



lerr 



N 



lerr 



{M\\N) 



lerr 



(v c)N 



lerr 



Figure 6. Locality Error 



Local Distributed Rules: 

Spawn: Intro: Par/: ReS/: 

r h P : proc r h P : proc Lhi^V A hi M L Xi A r,a:ol-i M 
r h Spawn(P) : proc F hi P F □ A hi 1 1 M F hi (va : o)M 

Figure 7. Local Distributed Typing Rules 



in the system N there is a runtime error, namely there is some name a which is ready to 
receive input at two distinct locations. The definition uses an input predicate P which 
is satisfied when P can immediately perform input on name a. 

Now let us say a channel type o is local if O has an input capability, i.e o = ((t),5'q). 
We also call u is local under T if F(m) is local. 

Definition 3.1. (system composable) F i and Fi are composable, written by Fi x Fi, 
if Fi riFi is defined, and Fi and Fi are system-composable, written by Fi Xi Fi, if 
Fi X Fi and m: (S, 1,5, o) G F,- (i= 1,2) implies Sii = T orS 2 i = T. □ 

Intuitively this means that if a channel a is local in Fi, then it must not be local in another 
environment Fi. 

The typing system for distributed systems given in Figure 7 is simply in form of 
F hi Af where F is again the same environment. The most essential rule is PAR/; this says 
that A^i II N 2 is typable with respect to A if A can be written as Fi hi F 2 , where Fi xi F 2 
and Ni is typable with respect to F,-. If terms are system composable, then we have no 
immediate locality error since P J, and F hi P : proc imply F h a : (f)^ for some f. 
That is: 

Theorem 3.2. (Type Safety) F hi A^ implies A^ 

It is however easy to see that system composability as defined above is not closed under 
reduction: indeed, we easily have N and N — A^' does not imply N 

Difficulties in preserving locality in DjtX There are basically two reasons 
why locality is not preserved after communication. The first is the use of a name re- 
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ceived from another location as an input subject. Take a?(x). P\ b\{a) || bl{y). yT{z). Q. 
Then it is easy to check that this can be typed with PAR/ in Figure 7. However after one 
reduction step, the communication along b, we obtain a?(x). P || at{z). Q, which is no 
longer typable. It is not difficult to exclude such terms which do not involve term passing 
by a simple syntactic condition or typing systems as studied in [2, 4, 20, 28]. The second, 
which is more complicated, concerns the parameterisations of processes and the instanti- 
ation of variables which occur in outgoing values. The presence of higher-order passing 
makes the problem subtle, as seen in the next example. 

Example 3.3. Let V denote the value X(). sq(a) in the slightly modified system 

a?(x).Plbl(V} II bl{Y).Y{) 

This is a typable configuration; nevertheless, after the transmission of the value V to the 
new site and a reduction we get a system which violates our locality conditions. Next 
consider a similar code where V denotes X(x) . sq(x) . 

a?(x). Pjb!(V} II b?(Y). (Yc)lc7(x). Q 

This does not destroy locality while it creates a new receptor sq(c) . However the follow- 
ing system which sends the same value as the above to b disturbs locality. 

d?(Z).Z()|fo!(y) II b?(Y).d!(XO.(Yc))lc?(x).Q □ 

Certain values are sendable in that their transfer from location to location will never lead 
to a locality error. For example, the first value X().sq(a) is immediately not sendable, 
although X(x).sq(.r) will be sendable, because it contains no free occurrence of input 
channels. However the algebra of sendable and non-sendable terms is not straightfor- 
ward; in the third system, V is transmitted along b across locations, where it is used to 
dynamically construct a new dangerous value X().(F c); this is then transmitted across 
locations via d and when it is run we obtain once more a locality error.^ We need a new 
set of sendable/non-sendable types and a typing system which controls the formation of 
values and ensures that in every occurrence of bl{V), where the term V can be exported 
to a new location, it can only evaluate to a value of sendable type. 

4 Type Inference System for Locality 

Local Typing System We add a new type constructor s(p) for sendable terms; the 
formation rules and ordering are given in Figure 8. The side condition of arrow types 
simply avoids, as we will see, a sendable term having a non-sendable subterm; e.g. if 
either P or Q is non-sendable, then P Q will automatically be non-sendable. A similar 
side condition on arrow types can be found in the passive types in [23]. 

The first extra ordering ensures that < is a preorder. The second says that the con- 
structor s( ) preserves subtyping and the third that all sendable values are also values. In 
conjunction with (id), this rule implies that sendability is idempotent, s(s(p)) ~ s(p) with 

def 

~ = < n >. Similarly with (lift), we have: s(s(x) ^ s(p)) ~ s(x) ^ s(p). Based on this 
ordering, we formalise sendable types as follows. 

^See [35] for further non-trivial examples of higher-order processes. 
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Types: 

Term Type: p 

Process Type: n 

Value Type: T 

Channel Type: o 

Sort Type: S 



K I T 

proc I s(proc) 

unit I nat | bool | O | s(x) with T 7 ^ O 
T p with p < s(p') < s(t') 

(^i, S'o) with Si>So,Si7i_L and Sq 7 ^ T | s((T , So)) 
as in Figure 3. 



Ordering: All rules from Figure 3 and 
(trans) pi < P 2 P2<P3^Pi<P3 (id) s(p) < s(s(p)) 

(mono) p < p' => s(p) < s(p') (lift) s(t)^s(p)<s(s(t)^s(p)) 

(sendable) s(p) < p 

Figure 8 . Locality types for D71I 



Definition 4.1. Let Sble, the set of sendable types, be the least set of types which 
includes all types of the form s(p), and for which X, p G Sble implies x — > p G Sble. We 
say p is sendable if p G Sble. □ 

The main properties of the set of sendable types is given in the following proposition: 

Proposition 4.2. (downwards closed) (1) Sble is downwards closed with respect to 
subtyping: p^ < p and p G Sble implies p' G Sble, (2) p G Sble if and only if p ~ s(p), 
and (3) p G Sble if and only if p < s(p') for some p'. 

The last statement of this Proposition is particularly relevant; in our revised typing system 
a value can only be exported to a new site if it can be assigned a type in Sble. 

The essential order theoretic property, FBC, is also preserved on this subtyping rela- 
tion. We extend the dehnition of □ and U in § 2.3 to the sendable types as follows. 

s(pi)ns(p2) = s(pinp2) and s(pi)Us(p2) = s(piUp2) 

s(pi)n P2 = s(pinp2) and s(pi)U p2 = piUp2 with p2 7^ s(p 2 ). 

The new type inference system, with judgements of the form F hi P : p, is given in Fig- 
ure 9 and uses the notion of sendable type environments, which only use sendable types. 

Definition 4.3. A typing environment A is sendable, written A hi SBL, if m : x G A 
implies x G Sble or a : O G A implies o G (Tj^o). □ 

In Figure 9 the Send Rules determine which values can be exported to other locations, 
either by spawning or by communication. All constants and output capabilities on chan- 
nels are automatically sendable. The crucial rule is TERM/, which says that in a general 
term is sendable only if it can be derived from a sendable type environment. For pro- 
cesses, first we can create a process by spawn only if it is sendable. In OUT^ we require 
that values which will be sent across locations to have sendable types. However if the 
transmission is only done in the same location, this condition should be relaxed; in OUT/, 
the message is guaranteed to be transmitted within the same location since name a has an 
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Send Rules: 



CONST/ : 



r hi / : nat 
r hi / : s(nat) 



etc. 



ChaN/ : 



rhia: (T,^) 



rhia:s((T,S)) 

c r hi P : s(pro^, 

rhi Spawn(P) s(proc) 



Term,- AhiP:p AhiSBL A>F rhiP:s(proc 

'• rhiP:s(p) 

Common Rules: as in Figure 4. 

Functional Rules: as in Figure 4. 

Process Rules: 

rhi«:(s(T))° 



^ r hi : s(t,) F hi P : 7t ^ 

OUT^: L OUT/: 

r hi u\{V)P : K 



rhi«:((f),(T)) 
rhiV^:T/ FhiP:proc 
F hi u\{V)P : proc 



Nil, Rep, Par, Res as in Figure 4 with proc replaced by n , and In the same as in Figure 4. 
Local Distributed Rules: Par/ and ReS/ as in Figure 7 and Intro as in Figure 7 with h 
replaced by hi in iNTRO. 

Figure 9. Locality Typing System for Dtlh 



input capability. Note also an input process has always the non-sendable type proc. 



Example 4.4. (Sq-server) In the following, we offer a non-trivial example of the use 
of sendability in typing. Recall Examples 2.1 and 2.2, and let us define 

O = (int, (int)°)^ 1 = 0^ proc o' = (int, (int)°)^° 

Eirst we note X{x : o) . sq(x) has a sendable type s(o — > proc) ; the derivation is similar to 
that in Example 2.2, followed by an application of TERM/. Then SqServ is typed as: 

req: ((t)°)^ hi *req?(r: (T)°).r!(X(r:o). sq(x)) : proc 



Next for Clieut, first let us define its body as P ={ X a |a!(l,ci) | • • •). To accept 
X{x : o) . sq(x) from the server and create sq(a) by applying a to X{x : o) . sq(x) , a will be 
used with both input/output capabilities in P. Hence Pis typed as: X:x, a:o' hi P : proc. 
Now define F = req: ((t)°)°, r : Then by applying Res and In, we have: 

Fhi rl{X :t). {va:o')P : proc 



To output r through “req”. 



/ SliUUiU J 



^ rhir:(x)° 

CHAN/ 7747T7 

rhir:s((T)°) 



The type of the channel “req” in the client is inferred as F hi req : (s((x)°))° by s((x)°) < 
(t)° as well as the contravariance of output capability. Combining these three, we infer: 



req: ((x)°)° hi (vr : (x)^°)req!(r)r?(Z :x). (va:o')P= Clieut : proc 
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Finally since {req: ((x)°)^} {req: ((x)°)°}, both systems are system composable. 

req: ((t)°)^° hi SqServ || Client 

Observe that: 

(1) The sendable type s(o proc) of X(x:o). sq(x) makes it possible to create a new 
server sq(a) in the client side. 

(2) r is declared with both input and output capabilities in the Client. The Client itself 
uses the input capability but, because of the type of “req” it only sends the output 
capability to SqServ. This form of communication is essential to represent a con- 
tinuation passing style programming in the 7 t-cal cuius as studied in [16, 24, 27, 28]. 
Moreover it demonstrates the need for non-trivial suhtyping on channels. □ 

One can refer to [35] for more examples which show that our systems eliminates various 
forms of behaviour which destroy the locality, like those in Example 3.3. 

Subject Reduction We now prove locality is preserved under reduction. 

Lemma 4.5. (1) (algebra on environments) T i h SBL, andTi h SBL imply Ti nTi h SBL 
and Ai Xi and Ai Xi A 3 implies Ai Xi A 2 hi A 3 . 

(2) If p G Sble then T hi P : p implies there exists A s.t. A > T, A hi SBL, and A hi P : p. 

(3) (substitution) Suppose T, x:t hi P : p andT hi V : T. Then T hi P{V /x] : p. 

The second property, which is needed to prove (3), is the most important. In the type 
system there are many different ways of inferring a sendable type, for example using 
CONST/, ChaN/, Sub or App. However we can regard all sendable types as being 
inferred in a uniform manner by an application of TerM/."^ 

The main lemma requires the order-theoretic property, FBC, of our subtyping relation, 
together with Lemma 4.5. 

Lemma 4.6. (Main Lemma) Suppose Li,x:t' hi P : tt andLi hi V : s(t) withFi xi Li 
and %' > s(t). Then there exists A such that: (1) Li < A with A hi SBL and A hi L : s(x), 
(2) Li nAhi P{y/x} : 7 t, and (3) Li hi An Li = Li hi Li with Li hi A Xi Li. 

The non-trivial case of the proof of the subject reduction property is when a value is 
sent to a different location by (com^) rule: suppose T 1 hi a?(x:x). P, Li hi a\{V). Q and 
Cl ><i Li. Then we must show: 

Ti n Ti hi a?(x:x). P || a\(y). Q implies Ti hi A hi P{L /x} and Li hi Q 

with Ti n A Xi Ti and rinAnr 2 = rinr 2 for some A. By the main lemma, we can 
take A as a sendable environment such that A hi L : s(x). Now we establish: 

Theorem 4.7. (Subject Reduction Theorem) 

ff r hi A and N — ^ M, then T hi M. 

^The proof of the second property relies directly on the constraint on the construction of arrow types. Relaxing 
this constraint would allow us to type more terms as sendable. Typical examples take the form {'Kxy.x) PQ, with 
P being sendable and Q non-sendable. Indeed such terms may be exported between locations without violating 
locality constraints. But inventing a typing system which allows this behaviour is a topic for further research 
(cf. 1231). 
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See [35] for the proofs. Combining Theorem 3.2 and Theorem 4.7, we now have: 
Corollary 4.8. (Type Safety) T\-iNandN — imply My^. 

5 Further Development 

5.1 Generalisation to Global/Local Subtyping 

Our typing system has a static view of the role of channels. From the point of view of a 
given location they can only be used for input locally whereas there is global access to 
its output capability. A more general view is proposed in [30], whereby the input/output 
capabilities of each channel can be designated to be either global or be restricted to being 
local. Here we show that our typing system can be adapted to this framework. 

In this extension channel types are labelled by one of the locality modes, {gg, LG, GL, LL}, 
ranged over hy m,m\ Their meaning is as follows: 

(1) GG - a channel is allowed to be used as the input and output subjects anywhere. 

(2) GL (resp. LG) - a channel is used as the input (resp. output) subject anywhere, while as 
the output (resp. input) subject only inside this location. 

(3) LL - a channel is used as the input and output subjects only in this location. 

A partial order on this set is given by a reflexive closure of GG < m with m — LG, GL and 
m < LL. Then the syntax of channel type is extended to m{Si , Sq) where m denotes how the 
channel is used as the subject while 5i, stand for the types of objects which it carries. 

In the revised system judgements take the form: F hg P : p. First we replace CHAN; 
in Figure 9 with a more general rule which indicates when channel capabilities may be 
transferred between locations: 

F Fg n : LL(5i , 5q) F Fg n : LG(5i ,Sq) F Fg n : GL(5i , 5q) F Fg n : GG(5i , 5q) 

FFga : s(gg(T,_L)) F Fg a : s(gg(T, So)) F Fg a : s(gg(Si, _L)) F Fg a : s(gg(Si,Sq)) 

In general a capability can only be transmitted if it has the form GG(Si,Sq) for some Si,Sq. 
As an example if this is GL, then it is prohibited from being used as the output subject in 
an other location; hence it can only be sent as the capability (Si, _L), with the mode GG. 

The input/output rules require minor modifications: 

F Fg M : LL((f ), (t)) F Fg m : ll(s(t))° 

FFgM:LL(T)i FFgD-:Ti FFgD-:s(Ti) 

IN r,x:fFgP:proc rFgP:proc r-FgP: proc 

^ F Fg M?(S:f).P : proc ^ F Fg M!(y)P : proc ^ F Fg M!(y)P : proc 

Finally to compose systems we need a more general definition of system composable: 
two environments F; and F 2 are composable, denoted by F; Xg F 2 , if F; x F 2 and if 
M:m,(Sii,S,o) G F; (i = 1,2), then (1) m,- = LL implies Sji = T and Sja = _L, (2) m,- = LG 
implies Sji = T, and (3) m,- = GL implies Sja = -L with i ^ j. This leads to the final change 
to the typing rules: 

PARg: 

Theorem 5 . 1 . (Subject Reduction) ff FFgA and N — ^M, then FFgM. 



F Fg M A Fg N F : 
FnAFgMlI A 
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Type Safety Theorem could easily be established for this typing system, by introducing a 
tagged version of the language (cf. [14, 24, 30]). 

5.2 Behavioral Equivalence 

Typing systems impose constraints on the communication structure of processes and var- 
ious authors, for example [24, 28, 33] have used this to define relativised behavioural 
equivalences. These have proved useful for example in studying the properties of transla- 
tions between languages [3, 24, 33]. This technique can also be applied to DttX, thereby 
opening up the possibility of obtaining interesting relativised behavioural theories for 
higher-order processes. Let «r (resp. ~r) denote a typed weak (resp. strong) barbed 
reduction-closed congruence defined by input/output predicates and reduction-closure 
property as in [2, 17, 24, 28, 33]. Various properties of wp and proved for variations 
of the 7t-calculus, can easily be generalised to DttX; a simple example is closure under 
(3-reduction (see page 10 in [2]). We can also prove various distributed equations, such 
as: (P I Spawn(e)) || R (P || Q) \\R^aP || {Q \ R) and P || (a!(V) | Q) -a (P | a\{V)) || Q. 

We also have the following multiple higher-order strong replication theorem which is 
not valid in DttX without types, but valid in the local DttX studied in Section 4. 

def 

Proposition 5.2. Let us define R = *al{x).R\ | • • • | *al{x).Rn withRi sendable. Then 
we have: (va)(P || P || Q) ~r (va)(P | P) || (va)(P | Q) 

Note we do not require any side condition for P and Q (cf. [24]). The proof is by observing 
that P and Q may only export the sendable value V via a since it is impossible that the 
name a is local in either P or Q. We can then apply the standard reasoning framework 
from [24, 27, 28]. See [35] for proofs. Note also that this proposition can not be derived 
in the framework of [28] since a is neither a linear nor an co-receptive name. 

Such theorems will be useful for reasoning about object-oriented systems where tem- 
plates are shared among locations. Further extension of typed equivalences studied in 
7t-calculus (e.g. [28, 33]) to distributed higher-order processes is an interesting research 
topic we intend to pursue. 

5.3 Type Checking 

For a practical use of a typing system, it is essential that we can check the well-typedness 
of a system N against a global type environment F. For this purpose, we can construct 
an equivalent typing system to hi without TERM/, to obtain a syntax directed system (in 
type reconstruction we use the partial meet operator to obtain a sendable type). Using 
this, we can easily obtain an algorithm to check the typability of P against F, as well as an 
algorithm to compute p such that F hi P : p along the line of [3 1] . Once processes in each 
location are type-checked, the algorithm which computes typability of a global system 
F hi V is simply obtained by decidability of F Xi A. See [35] for details. 

6 Discussion and Related Work 

We have proposed a local subtyping system for a simple higher-order distributed process 
language DttX and we used it to show that a global safety condition can be guaranteed by 
static type-checking of each local configuration. Our typing system does not require ad- 




570 Nobuko Yoshida and Matthew Hennessy 

ditional information on the resources available at different locations to ensure that higher- 
order processes can be safely passed between locations without violating locality con- 
straints on channels. The notion of sendable values and the corresponding sendable types 
plays an essential role in our typing system. Other schemes for restricting capabilities of 
higher-order terms by types may also be found in various different contexts; for example, 
in reference types [23], agent migration [26], an implementation of network protocols 
[18], and a location-based Linda language [22]. 

The distributed component of DttX is rather primitive, but we believe that the type 
inference system can easily be adapted to languages where, for example, locations can be 
named and dynamically generated as in [3, 14], or where there is more significant inter- 
play between the concurrent and the functional language primitives, as in Facile [9, 19]. 
However extensions of our capability based typing systems to more advanced distributed 
primitives, such as hierarchical location spaces [32], process mobility [6, 10, 29], and 
cryptographic constructs [1, 13] will be more challenging. Since in our language we 
inherit the standard subtyping of the X-calculus, it is also possible to consider the intro- 
duction of richer subtyping relations, for example those based on records, recursive types, 
or polymorphic types into type systems for distributed languages. 

It has been argued that in some sense there is no need for higher-order constructs in n- 
calculus based languages. For example in [27] there is a concise translation of processes 
using higher order values into the Jt-calculus. However, as we will now examine in the 
context of DttX, certain information is lost in such translations. 

The basic idea of the translation in [27] is to replace the transmission of an abstraction 
with the transmission of a newly generated trigger. An application to the abstraction is 
then replaced by a transmission of the data to the trigger, which provides a copy of the 
abstraction body to process the data. Using this idea sqServ is replaced by 

[[sqServ]]<;= *req?(r). (vtr) (r!(tr) | Str) with Strk= *tr?(x). sq(x) 

Here when a request is received, a new trigger is generated, and then returned to the client. 
Associated with the trigger is a trigger server, Str which receives data on the trigger and 
then executes the body, namely z!(sq(x)). Suppose we have the following Client2 who 
may already have a square server, for example for faster parallel evaluation. 

Client2<^= (var)(req!(r). r?(A). Aa | sq(a) | a!(l,ci) | a\{ 2 ,C 2 ) | • • •) 

Then the client is replaced by 

[[Client 2 ]] -t= (var)(req!(r). r?(tr). tr!(a) | sq(a) | a!(l,ci) | a!(2,C2) | • • •) 

The application in Client 2 is replaced by a transmission of a to the trigger, which was 
received in response to the request. However there exists an essential difference between 
sqServ || Client 2 and its translation [[sqServ]] || [[Client2]j. In the former, the new re- 
ceptor sq(a) is created in the client location, whereas in the latter sq(a) is created on the 
server side: 

sqServ || Client2 — sqServ || (va)(sq(a) | sq(a) | • • •) 

[[sqServ]] || [[Client2]] — ^ (va)(sq(a) | [[sqServ]] || sq(a) | a!(l,ci) • • •) 

This disturbs the locality on the channel a. Actually we can check that for all T, we have: 
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r l/i [[Client 2]] II [[sqServ]], since a should be used as input capability in the server side 
to create a new sq(a). But sqServ || Client2 is typable, as seen in Example 4.4. This 
example shows that it would be difficult to adapt the translation technique in [27] so that 
the local typing structure is preserved; it provides at least one reason why higher-order 
distributed calculi are worthy of investigation independently. Moreover, as argued in 
[8, 9, 19, 22, 29], many practical applications call for parameterised higher-order process 
passing, which may be difficult to represent directly without functional constructions, 
even in languages which support migration of the processes; their presence leads to a 
natural and powerful programming style as seen in the above literature. 

Preserving the locality of channels has been studied extensively for the 7t-calculus, 
[3, 4, 20, 34, 10]. For example the (untyped) local n-calculus [4, 20, 34] is simply defined 
with the following input restriction rule 

al{x) . P ifx does not appear as a free Input subject in P 

If we consider the subset of DtiX, where the abstraction mechanisms are omitted and only 
a single location is used then the typing system automatically enforces this restriction on 
well-typed terms. However it would be wrong to generalise this restriction to higher-order 
terms by imposing the constraint: 

Xx.P if X does not appear as a free input subject in P 

This is too strong; new receptors can never be created by p-reduction, hence Example 
4.4 would no longer be typable. Moreover this idea does not work if we wish to control 
higher-order variable, as seen in Example 3.3 (see also [35]). 

A locality condition similar to ours is used in [10] in describing various kinds of en- 
codings in Distributed Join-Calculus. Our approach is more general; we have a formal 
typing system for arbitrary higher-order process passing and instantiation which ensures 
locality of receptors, although new receptors can be created inside the same location. 
Acknowledgements: We thank James Riely, Kohei Honda and the members of 

Wednesday Study Group of Sussex University for comments and discussions, and anony- 
mous referees for useful comments. 

References 

1. Abadi, M. and Gordon, A., The Spi-calculus, Computer and Communications Security, pp.36^7, ACM 
Press, 1997. 

2. Amadio, R., Translating Core Facile, ECRC Research Report 944-3, 1994. 

3. Amadio, R., An asynchronous model of locality, failure, and process mobility. INRIA Report 3109, 1997. 

4. Boreale, M., On the Expressiveness of Internal Mobility in Name-Passing Calculi, CONCUR’96, LNCS 
1 1 19, pp. 163-178, Springer- Verlag, 1996. 

5. Boudol, G., The 7i-Calculus in Direct Style, POPL’98, pp.228-241, ACM Press, 1998. 

6. Cardelli, L. and Gordon, A., Typed Mobile Ambients, POPL’99, pp.79-92, ACM Press, 1999. 

7. Chien, A., Concurrent Aggregates, MIT Press, 1993. 

8. Ferreira, W., Hennessy,M. and Jeffrey, M., A Theory of Weak Bisimulation for Core CML, ICFP, pp.201- 
212, ACM Press, 1996. The full version appeared in/. Func. Pro., 8(5):447-491,1998. 

9. Giacalone, A., Mistra, P. and Prasad, S., Operational and Algebraic Semantics for Facile, 1CALP’90, 
LNCS 443, pp.765-780. Springer- Verlag, 1990. 




572 Nobuko Yoshida and Matthew Hennessy 



10. Foumet, C., Gonthier, G., Levy, J.-J., Maranget, L., and Remy, D., A Calculus for Mobile Agents, CON- 
CUR’96, LNCS 1 1 19, pp.406-421. Springer- Verlag, 1996. 

1 1 . Sun Microsystems Inc., Java home page, http://www.javasoft.com/, 1995. 

12. Hartonas, C. and Hennessy, M., Full Abstractness for a Functional/Concurrent Language With Higher- 
Order Value-Passing, Information and Computation, Vol. 145, pp. 64-106, 1998. 

13. Heintze, N. and Riecke, J., The SLam Calculus: Programming with Secrecy and Integrity, POPL’98, 
pp.365-377.ACM Press, 1998. 

14. Hennessy, M. and Riely, J., Resource Access Control in Systems of Mobile Agents, CS Report 02/98, 
University of Sussex, http://www.cogs.susx.ac.uk, 1998. 

15. Honda, K., Composing Processes, POPL’96, pp.344-357, ACM Press, 1996. 

16. Honda, K. and Tokoro, M., An Object Calculus for Asynchronous Communication. ECOOP’91 , LNCS 
512, pp. 133-147, Springer- Verlag 1991. 

17. Honda, K. and Yoshida, N., On Reduction-Based Process Semantics. TCS, pp.437-486. No. 151, North- 
Holland, 1995. 

18. Jeffrey, A. and Wakeman, L, SafetyNet. Available from: http://klee.cs.depaul.edu/an/, 1998. 

19. Leth, L. and Thomsen, B., Some Facile Chemistry, ERCC Technical Report, ERCC-92-14, 1992. 

20. Merro, M. and Sangiorgi, D., On asynchrony in name-passing calculi, ICALP’98, LNCS 1443, pp.856- 
867, Springer- Verlag, 1998. 

21 . Milner, R., Parrow, J.G. and Walker, D.J., A Calculus of Mobile Processes. Information and Computation, 
100(1), pp.1-77, 1992. 

22. De Nicola, R., Ferrari, G. and Pugliese, R., Klaim: a Kernel Language for Agents Interaction and Mobility, 
IEEE Trans, on Software Engineering, Vol.24(5), 1998. 

23. O’Heam, R, Power, J., Takeyama, M., and Tennent, D., Syntactic Control of Interference Revised, 
MFPS’97, ENCS, Elsevier, 1997. 

24. Pierce, B.C. and Sangiorgi. D, Typing and subtyping for mobile processes. MSCS, 6(5):409-454, 1996. 

25. Pierce, B. and Turner, D., Piet: A Programming Language Based on the Pi-calculus, Indiana University, 
CSCI Technical Report, 476, March, 1997. 

26. Riely, J. and Hennessy, M., Trust and Partial Typing in Open Systems of Mobile Agents, CS Technical 
Report, University of Sussex, 04/98, Available at: http://www.cogs.susx.ac.uk, 1998. 

27. Sangiorgi, D., Expressing Mobility in Process Algebras: First Order and Higher Order Paradigms. Ph.D. 
Thesis, University of Edinburgh, 1992. 

28. Sangiorgi, D., The name discipline of uniform receptiveness, /CALP’97, LNCS 1256, pp.303-313, 1997. 

29. Sekiguchi, T. and Yonezawa, A., A calculus with code mobility, IFIP, pp. 21-36, Chapman & Hall, 1997. 

30. Sewell, P, Global/Local Subtyping and Capability Inference for a Distributed 7i-calculus, ICALP’98, 
LNCS 1443, pp.695-706. Springer- Verlag, 1998. 

31. Vasconcelos, V. and Honda, K., Principal Typing Scheme for Polyadic 7l-Calculus. CONCUR’93, LNCS 
715, pp.524-538. Springer- Verlag, 1993. 

32. Vitek, J. and Castagna, G., A Calculus of Secure Mobile Computations, Available at: 
http://cuiwww.unige.chr jvitek, 1999. 

33. Yoshida, N., Graph Types for Monadic Mobile Processes, FST/TCS’ 16, LNCS 1180, pp. 371-386, 
Springer- Verlag, 1996. Full version as LFCS Technical Report, ECS-LFCS-96-350, 1996. 

34. Yoshida, N., Minimality and Separation Results on Asynchronous Mobile Processes: representability 
theorems by concurrent combinators. CONCUR’98, pp. 131-146, LNCS 1466, Springer- Verlag, 1998. 
Full version as CS Report 05/98, University of Sussex, Available at: http://www.cogs.susx.ac.uk, 1998. 

35. The full version of this paper. CS Technical Report 01/99, University of Sussex, Available at: 
http://www.cogs.susx.ac.uk, 1999. 




Author Index 



Martin Abadi 288 
Luca de Alfaro 66, 82 
Rajeev Alur 82, 98, 114 
Paul C. Attie 130 
Christel Baler 146 
Michael von der Beeck 399 
Albert Benveniste 162 
Beatrice Berard 178 
Eike Best 194 
Burkhard Bieber 210 
F.S. de Boer 226 
Benoit Caillaud 162 
Ranee Cleaveland 1, 399 
Hubert Comon 242 
Josee Desharnais 258 
Javier Esparza 2, 525 
Arkady Estrin 274 
Cormac Flanagan 288 

Hans Fleischhack 210 

Laurent Fribourg 178 

Yuxi Fu 304 
Rob J. van Glabbeek 21 
Paul Le Guernic 162, 494 
Vineet Gupta 258 
Rene Rydhof Hansen 463 
Matthew Hennessy 557 
Thomas A. Henzinger 82, 320 
Holger Hermanns 146 

Benjamin Horowitz 320 
Radha Jagadeesan 258 
Petr Jancar 30 
Jacob Grydholt Jensen 463 
Yuh-Jzer Joung 336 
Yan Jurski 242 
Michael Kaminski 274 



Joost-Pieter Katoen 146 
Barbara Konig 352 
Antonin Kucera 368 
Orna Kupferman 383 
Alexander Lavrov 194 
Gerald Liittgen 399 
Rupak Majumdar 320 
Freddy Y.G. Mang 82 
Richard Mayr 368 
Jose Meseguer 415 
Marius Minea 431 
Faron Moller 30 
Remi Morin 447 
Flemming Nielson 463 
Hanne Riis Nielson 463 
Thomas Noll 478 
David Nowak 494 
Gatuscia Palamidessi 28 

Prakash Panangaden 258 

Antti Puhakka 510 
Ghristine Rockl 525 
Stefan Romer 2 
Brigitte Rozoy 447 
Garolyn Talcott 415 
Jean-Pierre Talpin 494 
Jan Tretmans 46 
Antti Valmari 510 
Moshe Y. Vardi 383 
Bow-Yaw Wang 98 
Glynn Winskel 541 
Mihalis Yannakakis 1 14 
Nobuko Yoshida 557 
G. Zavattaro 226 




